SSL used in Postgres DB

Our infosec team gave me the info below about TLS certificates and what is the next course of action:

Please take note of this important communication if you use Azure for your application environment and use PostgreSQL Single Server. There is a risk of production impact if the below instructions are not carefully followed.

If you use PostgreSQL single Server with your applications, immediate action is required to avoid service failure if your application has been pinned to the Baltimore CyberTrust Root CA.

In December 2022, Microsoft will begin updating Azure Database for PostgreSQL Single Server to use TLS certificates from DigiCert Global Root G2. If your apps use certificate pinning, you’ll need to update your trusted root store by 30 November 2022.

## Required action

Overview of Action Required

** If your client application has pinned to the Baltimore CyberTrustRoot CA, in addition to Baltimore, add the DigiCert Global Root G2 to your trusted root store before end of June 2022.*
** If your applications take advantage of verify-ca or verify-full as value of sslmode parameter in the database client connectivity, you will need to follow directions below to add new certificates to certificate store to maintain connectivity…*
*Keep using the current root or intermediate CAs in your applications or devices until the transition period is completed (necessary to prevent connection interruption). *We recommend to not remove the BaltimoreCyberTrustRoot from your combined CA certificate until further notice to maintain connectivity.

*## How to check if your application is impacted

Such verification can be checked via application client connection string ssl mode value - verify-ca or verify-full. If these ssl-mode values are chosen you should follow directions in next section.

*## Action Required

** Download BaltimoreCyberTrustRoot & DigiCertGlobalRootG2 Root CA from links below:*

• • https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem*
• • https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem*
    ** Optionally, to prevent future disruption, it is also recommended to add the following roots to the trusted store:*
• • DigiCert Global Root G3 (thumbprint: 7e04de896a3e666d00e687d33ffad93be83d349e)*
• • Microsoft RSA Root Certificate Authority 2017 (thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)*
• • Microsoft ECC Root Certificate Authority 2017 (thumbprint: 999a64c37ff47d9fab95f14769891460eec4c3c5)*

The only way I’m familiar that Sonarqube connects to Postgres is through /pathofsonarqube/conf/sonar. Properties. It’s connection string are as follows:

sonar.jdbc.url=jdbc:postgresql://azureserverDBpath:5432/sonardev8_9?user=myuserID@azureserverDB&pass
word=PUTPASS&sslmode=require&gssEncMode=disable

Would you know if this “sslmode=require&gssEncMode=disable” does it mean that SSL is not applicable here? Im guessing it’s applicable because there is an & after require meaning those two sslmode = require AND gssEncMode is disabled. Any idea on where can I find this root certificate in my sonarqube application?

Thanks for sharing details here. I don’t know much about it. But anyway great work.

I think the question would be, is there a certificate store in Sonarqube itself especially when the application is connecting to the database?

THe connection string to connect to the DB requires it to be on ssl mode “sonar.jdbc.url=jdbc:postgresql://azureserverDBpath:5432/sonardev8_9?user=myuserID@azureserverDB&pass
word=PUTPASS&sslmode=require&gssEncMode=disable” and in order for that to still work past November 30, there’s a need to add the root certificate that MIcorosft is asking to add. Question is, where do we add it? Any ideas are all welcome!