Bug ID 930665: Services connecting to postgresql

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IQ System User Interface(all modules)

Known Affected Versions:
7.1.0

Fixed In:
7.1.0.1

Opened: Jul 24, 2020

Severity: 3-Major

Symptoms

If postgresql is not properly configured to allow SSL connections, services (such as tokumond) fail to connect to postgresql and an error similar to the following is logged in /var/log/tokumon/current: 2020-07-07_08:25:04.37666 [ERROR] postgresql: Failed connecting to dbConnectUrl:postgres://postgres_replication@[localhost]:<REDACTED>postgres://postgres_replication@[localhost]:5432/bigiq_db - Error: The server does not support SSL connections

Impact

Services are not able to connect to postgres. Setup and bootstrap are unable to complete successfully.

Conditions

This occurs when the postgresql config file at /var/lib/pgsql/data/postgresql.conf has the default SSL settings, instead of "ssl = on". This can happen if the postgresql configuration gets reset to defaults after being configured for SSL connections. Because the SSL certificate and key files exist under /var/lib/pgsql/config, the modifications to the configuration file are assumed to already be complete and are not re-applied.

Workaround

Run the following command to force re-configuration of postgresql: # ha_generate_certs --force <DISCOVERY_ADDRESS> Replacing <DISCOVERY_ADDRESS> with your BIG-IQ's discovery IP address.

Fix Information

Reconfiguring postgresql for SSL mode no longer depends on the absence of the SSL certificate and key files. Instead, the configuration will be updated to SSL mode (if it isn't already in SSL mode) any time ha_generate_certs runs. Since ha_generate_certs runs on bootstrap (on default service startup or on completion of the setup wizard), a misconfiguration will be automatically repaired by running the setup wizard or by restarting services with "bigstart restart".

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips