Help with PGBackRest Stanza Creation (Unable to Verify Certificate)

PostgreSQL Percona Distribution for PostgreSQL
1

I can’t for the life of me get pgbackrest to create a stanza, I keep getting “Unable to verify certificate present by…” errors. Can anyone help?

root@pgBackRest:/# sudo -iu postgres pgbackrest --stanza=cluster_1 stanza-create
2025-02-11 21:07:20.786 P00   WARN: unable to open log file '/var/log/pgbackrest/cluster_1-stanza-create.log': Permission denied
                                    NOTE: process will continue without log file.
2025-02-11 21:07:20.799 P00   INFO: stanza-create command begin 2.54.0: --exec-id=40369-51090cac --lock-path=/var/tmp/pgbackrest --log-level-console=info --log-level-file=off --pg1-host=node1 --pg2-host=node2 --pg3-host=node3 --pg1-host-ca-file=/etc/ssl/certs/pg_ha/ca.crt --pg2-host-ca-file=/etc/ssl/certs/pg_ha/ca.crt --pg3-host-ca-file=/etc/ssl/certs/pg_ha/ca.crt --pg1-host-cert-file=/etc/ssl/certs/pg_ha/pgBackRest.crt --pg2-host-cert-file=/etc/ssl/certs/pg_ha/pgBackRest.crt --pg3-host-cert-file=/etc/ssl/certs/pg_ha/pgBackRest.crt --pg1-host-key-file=/etc/ssl/certs/pg_ha/pgBackRest.key --pg2-host-key-file=/etc/ssl/certs/pg_ha/pgBackRest.key --pg3-host-key-file=/etc/ssl/certs/pg_ha/pgBackRest.key --pg1-host-port=8432 --pg2-host-port=8432 --pg3-host-port=8432 --pg1-host-type=tls --pg2-host-type=tls --pg3-host-type=tls --pg1-path=/var/lib/postgresql/17/main --pg2-path=/var/lib/postgresql/17/main --pg3-path=/var/lib/postgresql/17/main --pg1-port=5432 --pg2-port=5432 --pg3-port=5432 --pg1-socket-path=/var/run/postgresql --pg2-socket-path=/var/run/postgresql --pg3-socket-path=/var/run/postgresql --repo1-path=/var/lib/pgbackrest --no-repo1-storage-verify-tls --stanza=cluster_1
2025-02-11 21:07:20.839 P00   WARN: unable to check pg1: [CryptoError] unable to verify certificate presented by 'node1:8432 (10.25.0.97)': [7] certificate signature failure
2025-02-11 21:07:20.851 P00   WARN: unable to check pg2: [CryptoError] unable to verify certificate presented by 'node2:8432 (10.25.0.98)': [7] certificate signature failure
2025-02-11 21:07:20.864 P00   WARN: unable to check pg3: [CryptoError] unable to verify certificate presented by 'node3:8432 (10.25.0.99)': [7] certificate signature failure
2025-02-11 21:07:20.864 P00  ERROR: [056]: unable to find primary cluster - cannot proceed
                                    HINT: are all available clusters in recovery?
2025-02-11 21:07:20.864 P00   INFO: stanza-create command end: aborted with exception [056]

The certs are self-signed

2

Hello @Patrick1

1st, fix this permission issue.

WARN: unable to check pg1: [CryptoError] unable to verify certificate presented by … certificate signature failure

This is an issue with TLS certificates, Please create new certificate as described here: pgBackRest setup - Percona Distribution for PostgreSQL

Review and Follow all steps : pgBackRest setup - Percona Distribution for PostgreSQL

3

I fixed the log permission error and recreated the certificates but still getting the same error.

Signed certs:

image.png956×271 6.14 KB

1 Like
4

Can I skip TLS and use a cipher-pass instead? idk what the issue is but its just not accepting the certs.

5

Yes, You can.

Here is a simple sample configuration in /etc/pgbackrest.conf for taking backups to this backup mount point:

/etc/pgbackrest.conf

[global]
repo1-path=/home/postgres/archived/backup
repo1-retention-full=2

[pg0app]
pg1-path=/var/lib/pgsql/16/data
pg1-port=5432

##WAL archiving
The archiving of WAL files is an essential part of any PostgreSQL backup strategy. For WAL archiving to work, the parameter archive_mode must be enabled. If that is not the case, the following command can be used - just note it is necessary to restart PostgreSQL for this change to take effect:

ALTER SYSTEM SET archive_mode=ON;
The complementary setting archive_command defines how the archiving process is done. It needs to be modified to use pgBackRest:

ALTER SYSTEM SET archive_command = 'pgbackrest --stanza=pg0app --log-level-stderr=info archive-push %p';
Reloading (or alternatively restarting) PostgreSQL will get these changes into effect:

SELECT pg_reload_conf();

Initialize the repository

Create pgBackRest stanza:

pgbackrest --stanza=pg0app --log-level-console=info stanza-create

Take a backup

pgbackrest --stanza=pg0app --log-level-console=info backup

6

Ok I managed to get the stanza created, but when I go to run a full backup:

image
image1688×372 26.9 KB

7

Update since last post, I finally have a successful backup! However, I am receiving this warning about pg3 (“Unable to find hostname node3 in certificate common name or subject alternative name”:

image
image2521×497 41.7 KB

I have tried to recreate the certificate with no success, is it a setting I may have wrong somewhere? When I check the subject name of the cert it does show me node3

8

Hello @Patrick1
Use this methods for backup config: Deploying backup and disaster recovery solution in Percona Distribution for PostgreSQL - Percona Distribution for PostgreSQL