Re: Bug: certificate expired

From: Andrej Podzimek <andrej(at)podzimek(dot)org>
To: Dave Page <dpage(at)pgadmin(dot)org>
Cc: pgadmin-support(at)postgresql(dot)org
Subject: Re: Bug: certificate expired
Date: 2008-10-08 14:12:53
Message-ID: 48ECBFE5.6050105@podzimek.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-support

>>> Hello,
>>>
>>> I have been using PgAdmin III with SSL for a couple of months. I set up
>>> certificates for both the server and the client, valid until March 2009.
>>> Everything worked fine.
>>>
>>> Now the bad news: PgAdmin refuses to connect since yesterday, with this
>>> error message:
>>>
>>> Error connecting to the server: SSL error: sslv3 alert certificate
>>> expired
>>>
>>> This is obviously a nonsense, as both certificates are valid and system
>>> clocks on both computers show correct date and time. I even restarted the
>>> PostgreSQL server, which did not help.
>>>
>>> Using PostgreSQL 8.3.3, compiled --with-openssl.
>>>
>>> Best regards,
>>>
>>> Andrej Podzimek
>> Sorry for answeing my own message, but the bug is still there... This is a
>> real showstopper. What could be wrong?
>
> The message comes from OpenSSL/libpq - pgAdmin just displays it for
> you. I have no idea why OpenSSL would think your certificate had
> expired unless it had. Could it be the the issuing CA certificate has
> expired?

No, that's my home-made CA, with a certificate valid until 2011...

In fact, the whole story is a little bit more complicated:

1) I enabled OpenSSL for psql and pgAdmin in June 2008.
2) It stopped working (for the first time) at the end of August, with the stupid error message (expired certificate).
3) Adding the CA certificate and CRL on the *client* side fixed this, amazingly.
4) Then it worked for about one month, till the beginning of October.
5) Stopped working again about two days ago. The same error message

This seems inexplicable to me: Certificate and key files still in place, computer clocks OK and it just stopped working. Should I try an older version of OpenSSL?

All other programs based on OpenSSL work just fine. Is it possible to get more log messages somehow? The client says certificate has expired. The server says that the client did not provide any certificate. The client certificate is valid untill 2009 and so is the server certificate.

I tried to log in from a remote computer, then from the LAN and locally. The same nonsense was „reported“ each time.

Andrej

In response to

Responses

Browse pgadmin-support by date

  From Date Subject
Next Message Dave Page 2008-10-08 14:16:59 Re: Bug: certificate expired
Previous Message Dave Page 2008-10-08 07:30:30 Re: Bug: certificate expired