| From: | Axel Rau <Axel(dot)Rau(at)Chaos1(dot)DE> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | [RESOLVED]Re: Cert verify failed on client side after renewal of certs |
| Date: | 2014-09-24 09:00:05 |
| Message-ID: | 06C16AEB-4CAA-42BE-8F23-C0573F710429@Chaos1.DE |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Am 24.09.2014 um 07:22 schrieb Adalkonda Harshad <adalkondaharshad(at)gmail(dot)com>:
>
> On 23-09-2014 19:21, Axel Rau wrote:
>> The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
>> Which subject CN or Subject alternate name should I use with the client cert?
>> User name or FQDN of client host comes into mind. Docs are unclear in that point.
>>
>> Axel
>>
>> Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel(dot)Rau(at)chaos1(dot)de>:
>>
>>> Hi all,
>>>
>>> Iām getting
>>> psql: SSL error: certificate verify failed
>>> after renewing server and client certs.
>>> Both certs are validated ok by openssl:
>>> - - -
>>> openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
>>> /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
>>> - - -
>>> openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
>>> db1.in.chaos1.de_server_cert.pem: OK
>>> - - -
>>> x509 extensions of server cert are
>>> - - -
>>> X509v3 Subject Key Identifier:
>>> E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>>> X509v3 Basic Constraints: critical
>>> CA:FALSE
>>> X509v3 Key Usage: critical
>>> Digital Signature, Key Encipherment
>>> X509v3 Extended Key Usage: critical
>>> TLS Web Server Authentication
>>> X509v3 Subject Alternative Name: critical
>>> DNS:some.host, DNS:another host
>>> - - -
>>> and of client cert
>>> - - -
>>> X509v3 Subject Key Identifier:
>>> E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>>> X509v3 Basic Constraints: critical
>>> CA:FALSE
>>> X509v3 Key Usage: critical
>>> Digital Signature
>>> X509v3 Extended Key Usage: critical
>>> TLS Web Client Authentication
>>> X509v3 Subject Alternative Name: critical
>>> DNS:some.host, DNS:another host
>>> - - -
>>> How can this be?
>>> What am I doing wrong?
>>>
>>> Axel
>>> PS: This is still this issue:
>>> http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
Thanks for your answer.
> The CN should be User name of the database from which client is going to login.
According to the docs, this is required with authentication by client cert (AbCC), which I did not use.
I created a cert with db user name as CN and no subject alternate name (SAN) and this solved my problem!
There should really be a hint in the docs that SSL does not work with client certs containing one or more SANs.
Now the next question: If I switch to AbCC, how can I configure more than one db user per login?
Thanks, Axel
---
PGP-Key:29E99DD6 ā +49 151 2300 9283 ā computing @ chaos claudius
| From | Date | Subject | |
|---|---|---|---|
| Next Message | christian.echerer | 2014-09-24 09:05:49 | Out of shared memory while creating a backup with pg_dump |
| Previous Message | gparc | 2014-09-24 07:42:22 | Re: Clarification on pg_basebackup |