[PDNS] [3.17 & Edge] - could not open certificate file "/root/.postgresql/postgresql.crt": Permission denied
Since updating to Alpine 3.17 from 3.16, PowerDNS is not able to connect to my Postgres backend via SSL causing it to retry using cleartext which also fails due to our db denying cleartext connectivity.
Caught an exception instantiating a backend: Unable to launch gpgsql connection: Unable to connect to database, connect string: dbname='<HIDDEN>' user='<HIDDEN>' host='<HIDDEN>' port='5432' password=<HIDDEN>: connection to server at "<HIDDEN>" (<HIDDEN>), port <HIDDEN> failed: could not open certificate file "/root/.postgresql/postgresql.crt": Permission denied
connection to server at "<HIDDEN>" (<HIDDEN>), port <HIDDEN> failed: FATAL: pg_hba.conf rejects connection for host "<HIDDEN>", user "<HIDDEN>", database "<HIDDEN>", no encryption
An educated guess is that in an update to libpq an exception is now generated if it unable to determine if client authentication is needed (by verifying the path "/root/.postgresql/postgresql.crt"). As PowerDNS runs as pdns user, it can not access this folder and SSL connectivity will fail.
A workaround has been to set PGSSLCERT envar in the dockerfile to override the default to a folder the pdns user has access to (such as /tmp).