Re: Cert verify failed on client side after renewal of certs

On 23-09-2014 19:21, Axel Rau wrote:
> The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
> Which subject CN or Subject alternate name should I use with the client cert?
> User name or FQDN of client host comes into mind. Docs are unclear in that point.
>
> Axel
>
> Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel(dot)Rau(at)chaos1(dot)de>:
>
>> Hi all,
>>
>> I’m getting
>> psql: SSL error: certificate verify failed
>> after renewing server and client certs.
>> Both certs are validated ok by openssl:
>> - - -
>> openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
>> /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
>> - - -
>> openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
>> db1.in.chaos1.de_server_cert.pem: OK
>> - - -
>> x509 extensions of server cert are
>> - - -
>> X509v3 Subject Key Identifier:
>> E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>> X509v3 Basic Constraints: critical
>> CA:FALSE
>> X509v3 Key Usage: critical
>> Digital Signature, Key Encipherment
>> X509v3 Extended Key Usage: critical
>> TLS Web Server Authentication
>> X509v3 Subject Alternative Name: critical
>> DNS:some.host, DNS:another host
>> - - -
>> and of client cert
>> - - -
>> X509v3 Subject Key Identifier:
>> E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>> X509v3 Basic Constraints: critical
>> CA:FALSE
>> X509v3 Key Usage: critical
>> Digital Signature
>> X509v3 Extended Key Usage: critical
>> TLS Web Client Authentication
>> X509v3 Subject Alternative Name: critical
>> DNS:some.host, DNS:another host
>> - - -
>> How can this be?
>> What am I doing wrong?
>>
>> Axel
>> PS: This is still this issue:
>> http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
>> —
>> PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
>>
>>
>>
>> --
>> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-admin
> ---
> PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
>
>
>
The CN should be User name of the database from which client is going to
login.
--

Harshad Adalkonda
Database Administrator
harshad(dot)adalkonda(at)shreeyansh(dot)com <mailto:harshad(dot)adalkonda(at)shreeyansh(dot)com>

Office: +919552687400/8400
http://www.shreeyansh.com

Twitter <%20> Google Plus <%20> Youtube <%20> Linkedin
<http://in.linkedin.com/in/prashanthranjalkar> Instagram <%20> Pintrest
<%20> Dribbble <%20> Skype <skype:harsh_ur1>