Pmm3 can connect to database, throws pg_hba error on pt-pg-summary

Percona Monitoring and Management (PMM) PMM 3.x
,
1

Hi,
I have a pmm3.1 server that monitors a couple of Azure Flexible Server for Postgresql instances, looking at the ‘PostgreSQL Instance Summary’ Dashboard i can see live data, but opening the service-summary pane (that runs the ‘pt-pg-summary’ command) it shows the classic pg_hba error.

Connecting to the pmm container i can run the command /usr/local/percona/pmm/tools/pt-pg-summary -h databasename.postgres.database.azure.com -U pmm to recieve the error: Cannot connect to the database: cannot connect to the database: pq: no pg_hba.conf entry for host "pmm-server-ip", user "pmm", database "postgres", no encryption\n
Running the command psql -h databasename.postgres.database.azure.com -U pmm -d postgres instead i can connect from the same container, connection info: psql (14.17 - Percona Distribution) - SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off).

Can it be something related to ssl?

2

Hello @yngmntr

Can you share pmm user entry in pg_hba.conf file? To check if it’s using SSL (do not share IP?hostname).

Also review this:

TLS/SSL is enforced on the server by default. So please download the certificate needed to communicate over SSL with your Azure Database. It can be done on Networking tab for your Azure Database instance.

Also enforced TLS/SSL connection option can be disabled on server side.

3

Hi, thanks for the feedback,

Can you share pmm user entry in pg_hba.conf file? To check if it’s using SSL (do not share IP?hostname).

Unfortunately i cannot export or in any way edit the pg_hba file from Azure Postgresql Flexible Server.

TLS/SSL is enforced on the server by default. So please download the certificate needed to communicate over SSL with your Azure Database. It can be done on Networking tab for your Azure Database instance.
Also enforced TLS/SSL connection option can be disabled on server side.

Going in the ‘networking’ tab of the Azure Postgresql Flexible Server it shows me the following, and clicking on the ‘Download SSL Certificates’ button it links me to this microsoft docs.

AzureScreenshot
AzureScreenshot1270×227 55.8 KB

The microsoft docs indicates what certificates should be installed on the machine, and checking in the pmm3.1 container with the command openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-bundle.crt | openssl pkcs7 -print_certs -noout i can see that they are present.

Thanks.