From: | Andrej Podzimek <andrej(at)podzimek(dot)org> |
---|---|
To: | Dave Page <dpage(at)pgadmin(dot)org> |
Cc: | pgadmin-support(at)postgresql(dot)org |
Subject: | Re: Bug: certificate expired |
Date: | 2008-10-08 14:12:53 |
Message-ID: | 48ECBFE5.6050105@podzimek.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support |
>>> Hello,
>>>
>>> I have been using PgAdmin III with SSL for a couple of months. I set up
>>> certificates for both the server and the client, valid until March 2009.
>>> Everything worked fine.
>>>
>>> Now the bad news: PgAdmin refuses to connect since yesterday, with this
>>> error message:
>>>
>>> Error connecting to the server: SSL error: sslv3 alert certificate
>>> expired
>>>
>>> This is obviously a nonsense, as both certificates are valid and system
>>> clocks on both computers show correct date and time. I even restarted the
>>> PostgreSQL server, which did not help.
>>>
>>> Using PostgreSQL 8.3.3, compiled --with-openssl.
>>>
>>> Best regards,
>>>
>>> Andrej Podzimek
>> Sorry for answeing my own message, but the bug is still there... This is a
>> real showstopper. What could be wrong?
>
> The message comes from OpenSSL/libpq - pgAdmin just displays it for
> you. I have no idea why OpenSSL would think your certificate had
> expired unless it had. Could it be the the issuing CA certificate has
> expired?
No, that's my home-made CA, with a certificate valid until 2011...
In fact, the whole story is a little bit more complicated:
1) I enabled OpenSSL for psql and pgAdmin in June 2008.
2) It stopped working (for the first time) at the end of August, with the stupid error message (expired certificate).
3) Adding the CA certificate and CRL on the *client* side fixed this, amazingly.
4) Then it worked for about one month, till the beginning of October.
5) Stopped working again about two days ago. The same error message
This seems inexplicable to me: Certificate and key files still in place, computer clocks OK and it just stopped working. Should I try an older version of OpenSSL?
All other programs based on OpenSSL work just fine. Is it possible to get more log messages somehow? The client says certificate has expired. The server says that the client did not provide any certificate. The client certificate is valid untill 2009 and so is the server certificate.
I tried to log in from a remote computer, then from the LAN and locally. The same nonsense was „reported“ each time.
Andrej
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2008-10-08 14:16:59 | Re: Bug: certificate expired |
Previous Message | Dave Page | 2008-10-08 07:30:30 | Re: Bug: certificate expired |