| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | John Scalia <jayknowsunix(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: SSL certificate revocation file will not load |
| Date: | 2017-06-14 20:50:25 |
| Message-ID: | 23871.1497473425@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
John Scalia <jayknowsunix(at)gmail(dot)com> writes:
> I've got SSL working without the crl file, but when I set ssl_crl_file to
> use the one I have, it says FATAL on a restart and no SSL error reported.
> This is not very helpful.
Did you look into the postmaster log? Experimenting with an intentionally
corrupted CRL file here, I get log messages along the lines of
2017-06-14 16:45:15.096 EDT [22759] LOG: parameter "ssl_crl_file" changed to "root+client.crl"
2017-06-14 16:45:15.102 EDT [22759] LOG: could not load SSL certificate revocation list file "root+client.crl": bad base64 decode
The actually useful part of that comes out of OpenSSL, and we don't have
a lot of control about how specific it is ... but there should be
*something*.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John Scalia | 2017-06-14 21:55:22 | Re: SSL certificate revocation file will not load |
| Previous Message | Bruce Momjian | 2017-06-13 18:10:15 | Re: PG-10.0 Distributed Cluster |