Обсуждение: iso-8859-1 postgres ssl error "could not accept SSL connection: Success" and timeout

I already send this to general list, may be i need to post in admin

Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-167-generic x86_64)

OpenSSL 1.1.1 11 Sep 2018

Sometimes i see this in postgres logs

Found some similar threads, but not sure

https://github.com/modoboa/modoboa/issues/1702

https://postgrespro.com/list/thread-id/2585389

How i can to debug this?

2023-02-22 00:43:38.570 MSK [27636] [unknown]@[unknown] LOG:  could not accept SSL connection: Success
2023-02-22 00:43:38.570 MSK [27631] [unknown]@[unknown] LOG:  could not accept SSL connection: Success
2023-02-22 00:43:38.570 MSK [27639] [unknown]@[unknown] LOG:  could not accept SSL connection: Success
2023-02-22 00:43:38.570 MSK [27642] [unknown]@[unknown] LOG:  could not accept SSL connection: Success
2023-02-22 00:43:38.570 MSK [27643] [unknown]@[unknown] LOG:  could not accept SSL connection: Success
2023-02-22 00:43:38.570 MSK [27627] [unknown]@[unknown] LOG:  could not accept SSL connection: Connection reset by peer

CRITICAL
PDOException
SQLSTATE[08006] [7] timeout expired
PDOException
/var/log/web/hub2.log
Feb 21, 2023 @ 23:43:38.001
CRITICAL
PDOException
SQLSTATE[08006] [7] timeout expired
PDOException
/var/log/web/hub2.log
Feb 21, 2023 @ 23:43:38.001
CRITICAL
PDOException
SQLSTATE[08006] [7] timeout expired
PDOException
/var/log/web/hub2.log

here is my postgres config

cat /etc/postgresql/12/main/postgresql.conf

data_directory = '/var/lib/postgresql/12/main'
hba_file = '/etc/postgresql/12/main/pg_hba.conf'
ident_file = '/etc/postgresql/12/main/pg_ident.conf'
external_pid_file = '/var/run/postgresql/12-main.pid'

listen_addresses = '*'
port = 5432
max_connections = 10000
unix_socket_directories = '/var/run/postgresql'
ssl = on
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

shared_buffers = 4GB
temp_buffers = 8MB
work_mem = 128MB
maintenance_work_mem = 128MB
dynamic_shared_memory_type = posix

bgwriter_lru_maxpages = 0
effective_io_concurrency = 3

wal_level = hot_standby

checkpoint_completion_target = 0.9

archive_mode = on
archive_command = '/bin/true'
archive_timeout = 300

max_standby_archive_delay = 21600
max_standby_streaming_delay = 21600

I should to update my openssl to see real error? How can i do that if i use ubuntu 18.04?

I am not sure what causes the problem, but some hints anyway:

max_connections = 10000
seems very high to me. In case you really have so many clients, consider using a connection pooler.


archive_mode = on
archive_command = '/bin/true'
archive_timeout = 300

This is awkward. If you want archiving, use a command which does archiving, not /bin/true, which does nothing. Otherwise, turn archiving off and leave archive_command empty.

Kind Regards,

Holger

-- 
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012

That is exactly how I setup a system that has archive_mode turned off.  I never set archive_mode to off; as it very likely that I want to enable it in the future. When using “true” instead of off it allows the option to enabling/disabling arching without having the bounce the instance which requires scheduling downtime that is very difficult to get.

Hi Sergey,

Please ensure the pg_hba.conf has enabled the SSL.
Eg.

hostssl	 all         all          0.0.0.0/0    		md5

It's not necessary to use hostssl records, host records will do as well. In an SSL environment, hostssl makes sense, though. But it doesn't help in tracking down the problem.

But - if your version supports it - use scram-sha-256 and not md5.

And don't allow access to all databases by all users from any IP address.

For testing purposes this may ok, but not in real life.

If pg_hba settings were the problem, they would show up clearly as such in the log, but that's obivously not the case.

Regards,

Holger

-- 
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012