Hi,

I've played a bit with patroni and my understanding is that you would have each node being a dedicated endpoint/client.

That would translate by a HTTP/service per node.

As far as I have seen, the host certificate has the client specs. The http cert would not be usable as a client certificate. However, they need to be signed by the same authority. This would mean you can't use a dedicated sub-ca for the http certificates.

Maybe it is possible to create PATRONI-API and PATRONI-CLIENT services with the specs you need and assign them to each node. But I don't know how or if it's possible.

On the certmonger side, you would need to add a post renew script to change the ownership of the cert and key so they are readable by your patroni user.

I didn't implement it but when I looked into it, that was my conclusion.

I might be wrong, but I'm interested to know if you manage to implement this.

Maybe you could consider the acme provider of freeipa.

For the user cert, I'm not sure I can help.

On Friday, September 30, 2022 7:36:44 AM CEST Жарков Владислав via FreeIPA-users wrote:

Hi. I'm trying to use FreeIPA as a certificate authority. My goal is to issue certificates for patroni cluster nodes and postgres user, and use certmonger afterwards for they renewal. While issuing the certificates for hosts is nobrainer I'm having troubles with postgres client certificate.

How would you recommend to approach my issue? I'm confused with HTTP/service abstraction and think that for my case it's impossible, cause I can't have multiple "postgres" services, or multiple postgres aliases (idea is to use postgres SAN name, but I'm not even sure auth will work). I'm also can't have just one postgres user and therefore certificate for every database cluster.