Problem
Script Example
<?php
// define constants
define('DB_HOST', '1.1.1.1');
define('DB_USER', 'usr');
define('DB_PASS', 'pw');
define('DB_NAME', 'db');
define('DB_PORT', '5432');
// connection string with SSL certificate files
$conn_str = 'host=' . DB_HOST . ' ';
$conn_str .= 'port=' . DB_PORT . ' ';
$conn_str .= 'dbname=' . DB_NAME . ' ';
$conn_str .= 'user=' . DB_USER . ' ';
$conn_str .= 'password=' . DB_PASS . ' ';
$conn_str .= 'sslmode=verify-full ';
$conn_str .= 'sslcert=etc/apache/ssl/postgresql.crt ';
$conn_str .= 'sslkey=etc/apache/ssl/postgresql.key ';
$conn_str .= 'sslrootcert=etc/apache/ssl/root.key ';
// attempt connection
$conn = pg_connect($conn_str) or die('Cannot connect to database.');
// set sql string
$sql = 'SELECT * FROM locations;';
// query and iterate results
if($result = pg_query($conn, $sql))
while($row=pg_fetch_row($result)) {
var_dump($row);
}
// close it up
pg_close();
?>
I am able to connect to an external SSL Postgres Database using xampp and PHP, but when I try it on my debian linux server, I am unable to establish a connection.
I suspect it is a pathing issue or permissions. I placed my certs in /var/www/html and /etc/ssl but neither paths on my production server work. In xampp, I just specify c:/xampp/htdocs/certs.key/.crt and they work fine.
What could be causing the issue on my production server?
Solution (Partial)
Since pg_last_error() and pg_errormessage() do not return errors for connection attempts, I had to create a custom exception handler. I attached the custom exception handler and finally got the error:
"pg_connect(): Unable to connect to PostgreSQL server: private key file "/etc/apache2/ssl/postgresql.key" has group or world access; permissions should be u=rw (0600) or less"
Next I attempted to CHMOD the key/crt
sudo chmod 0600 /etc/apache2/ssl/postgresql.crt
sudo chmod 0600 /etc/apache2/ssl/postgresql.key
This gave me the error
pg_connect(): Unable to connect to PostgreSQL server: could not read certificate file "/etc/apache2/ssl/postgresql.crt": Permission denied
I used the linux command 'ls -la', I noticed I was the owner, so I chown'd.
chown root:root /etc/apache2/ssl/postgresql.crt
chown root:root /etc/apache2/ssl/postgresql.key
Ok that didn't work, I added in my PHP script
echo exec('whoami');
That outputted 'www-data', OK so I entered
sudo chown -R www-data:www-data /etc/ssl/
chmod 700 /etc/ssl/
Finally it worked! Not sure about the safety of this, but this is my temporary solution.
Final Script
<?php
// Create a custom exception error handler for pg_connect
function exception_error_handler($errno, $errstr, $errfile, $errline ) {
throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
}
// Set the error handler
set_error_handler("exception_error_handler");
// Force output of all errors
error_reporting(E_ALL);
// Define constants
define('DB_HOST', '1.1.1.1');
define('DB_USER', 'USR');
define('DB_PASS', 'PW');
define('DB_NAME', 'DB');
define('DB_PORT', '5432');
// Connection string with SSL certificate files
$conn_str = 'host=' . DB_HOST . ' ';
$conn_str .= 'port=' . DB_PORT . ' ';
$conn_str .= 'dbname=' . DB_NAME . ' ';
$conn_str .= 'user=' . DB_USER . ' ';
$conn_str .= 'password=' . DB_PASS . ' ';
$conn_str .= 'sslmode=require ';
$conn_str .= 'sslcert=/etc/apache2/ssl/postgresql.crt ';
$conn_str .= 'sslkey=/etc/apache2/ssl/postgresql.key ';
// Try catch block grabbing stored exception
try {
echo "Attempting pg_connect: " . $conn_str . "<br>";
$conn=@pg_connect($conn_str);
} catch (Exception $e) {
echo $e->getMessage();
}
// Attempt Connection
$conn = pg_connect($conn_str) or die('Cannot connect to database.');
// Set SQL String
$sql = 'SELECT * FROM locations';
// Attempt query and iterate results
if(result = pg_query($conn, $sql))
while($row=pg_fetch_row($result)) {
var_dump($row);
}
// Close it up
pg_close();
?>