SonarQube: How to connect to SSL enabled Google Cloud Postgresql server

Question

I have set up a SonarQube and configured SSL certificates to make the URL always HTTPS using CertBot. As of now, the PostgreSQL database has a public IP and below are the values changed in sonar.properties file:

sonar.jdbc.username=weakusername
sonar.jdbc.password=strongpassword
sonar.web.host=127.0.0.1
sonar.jdbc.url=jdbc:postgresql://xx.xxx.xxx.xxx/sonarqube

sonar.search.javaOpts=-Xms512m  -Xmx512m

# Change max limits
sysctl -w vm.max_map_count=262144

I am using Cloud SQL PostGres as the database. I would like to allow Only SSL Only Connections to the database and here the way how to do it, generate client certificate, etc.

After setting "Allow only SSL Connections" to true I understand there is a way to connect to the database using the client certificate described here.

Below is the command to start the psql client:

psql "sslmode=verify-ca sslrootcert=server-ca.pem \
      sslcert=client-cert.pem sslkey=client-key.pem \
      hostaddr=[INSTANCE_IP] \
      user=postgres dbname=[DB_NAME]"

However, SonarQube is not able to connect to the Database (Not sure how to tell SonarQube to use the client certificates). What changes are required in the configuration file to make SonarQube use appropriate client certificate and connect to the database using SSL?

Answer 1

Convert client key format from PEM to PK8:

openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client-key.pk8 -nocrypt

Be sure to update the value for the sslkey query param in sonar.jdbc.url with the new path/filename.

Answer 2

You should add the following to the URL:

jdbc:postgresql://xx.xxx.xxx.xxx/sonarqube?ssl=true&sslmode=verify-ca&sslrootcert=/path/to/server-ca.pem&sslkey=/path/to/client-key.pem&sslcert=/path/to/client-cert.pem

See the documentation for the available SSL connection parameters and SSL client configuration.