Re: ssl_crl_file Certificate Revocation List doesn't work for postgresql 11

From: Gabriel Cabillon <gcabillon(at)hexa(dot)com(dot)uy>
To: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: ssl_crl_file Certificate Revocation List doesn't work for postgresql 11
Date: 2021-11-30 14:03:06
Message-ID: 6660f633-b059-4cd8-e61f-d310e05d9780@hexa.com.uy
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
El 30/11/2021 a las 10:53, Yi Sun escribió:<br>
<blockquote type="cite"
cite="mid:CABWY_HCBUCjY1EJHrEGePGEaSZ5b29apgTohCyygtsqe_ySYng(at)mail(dot)gmail(dot)com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>OS: CentOS 7.6</div>
<div>PG: 11.11</div>
<div><br>
</div>
<div>Our env already configured ssl</div>
<div>--server postgresql.conf</div>
<div>ssl = 'on'<br>
ssl_ca_file = '/var/lib/pgsql/tls/root.crt'<br>
ssl_cert_file = '/var/lib/pgsql/tls/server.crt'<br>
ssl_key_file = '/var/lib/pgsql/tls/server.key'<br>
</div>
<div><br>
</div>
<div>--client configuration</div>
<div>$ ls -alrt /var/lib/pgsql/.postgresql<br>
total 20<br>
-rw-r--r-- 1 postgres postgres  688 Nov 30 06:46 root.crt<br>
-rw-r--r-- 1 postgres postgres  778 Nov 30 06:46
postgresql.crt<br>
-rw------- 1 postgres postgres 1708 Nov 30 06:47
postgresql.key<br>
</div>
<div><br>
</div>
<div>--From client to connect ssl works</div>
<div>$ psql "host=master.pgcluster11.service.consul port=5432
dbname=testdb user=test sslmode=verify-full"<br>
Password:<br>
SSL connection (protocol: TLSv1.2, cipher:
ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)<br>
<br>
</div>
<div>--Now we want to configure the ssl_crl_file and generated
the root.crl file as below redhat doc</div>
<div><br>
</div>
<div><a
href="https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/2.1/html/administration_guide/chap-red_hat_update_infrastructure-administration_guide-certification_revocation_list_crl"
moz-do-not-send="true" class="moz-txt-link-freetext">https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/2.1/html/administration_guide/chap-red_hat_update_infrastructure-administration_guide-certification_revocation_list_crl</a><br>
</div>
<div><br>
</div>
<div>--Use openssl to verify, shows "certificate revoked"</div>
<div># cat /home/sunyi/tls/root.crt /home/sunyi/tls/1/root.crl
&gt; /tmp/test_1.pem<br>
</div>
<div># openssl verify -extended_crl -verbose -CAfile
/tmp/test_1.pem -crl_check /home/sunyi/tls/1/server.crt<br>
/home/sunyi/tls/1/server.crt: O = Acronis, OU = DBS, CN =
s12345y-patroni_cluster-507460701<br>
error 23 at 0 depth lookup:certificate revoked<br>
</div>
<div><br>
</div>
<div>--copy root.crl file to /var/lib/pgsql/tls </div>
<div>-bash-4.2$ ls -alrt /var/lib/pgsql/tls<br>
total 20<br>
drwx------ 4 postgres postgres 4096 Nov 30 04:20 ..<br>
-rw-r----- 1 postgres postgres 1164 Nov 30 04:20 server.crt<br>
-rw------- 1 postgres postgres 1679 Nov 30 04:20 server.key<br>
-rw-r----- 1 postgres postgres  688 Nov 30 04:20 root.crt<br>
drwx------ 2 postgres postgres 4096 Nov 30 04:20 .<br>
</div>
<div><br>
</div>
<div>--Configure /var/lib/pgsql/11/data/postgresql.conf<br>
ssl_crl_file = '/var/lib/pgsql/tls/root.crl'<br>
</div>
<div><br>
</div>
<div>--Reload postgresql</div>
<div>$ psql<br>
psql (11.11)<br>
Type "help" for help.<br>
<br>
postgres=# select pg_reload_conf();<br>
 pg_reload_conf<br>
----------------<br>
 t<br>
(1 row)<br>
</div>
<div>postgres=# show ssl_crl_file;<br>
        ssl_crl_file<br>
-----------------------------<br>
 /var/lib/pgsql/tls/root.crl<br>
(1 row)<br>
</div>
<div><br>
</div>
<div>--From client to connect still can connect not as expect</div>
<div>$ psql "host=master.pgcluster11.service.consul port=5432
dbname=testdb user=test sslmode=verify-full"<br>
Password:<br>
SSL connection (protocol: TLSv1.2, cipher:
ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)<br>
</div>
<div><br>
</div>
<div>Could you please advise if need any more configuration?
Thanks</div>
<div><br>
</div>
<div>Thanks and best regards</div>
<div>Sun Yi</div>
</div>
</blockquote>
<br>
Hi, <br>
<br>
<span class="VIiyi" lang="en"><span class="JLqJ4b ChMk0b"
data-language-for-alternatives="en"
data-language-to-translate-into="es" data-phrase-index="0"
data-number-of-phrases="1"><span>according to the ls command it
seems you copied root.crt instead of</span></span></span>
root.crl<br>
<br>
Yours,<br>
Gabriel<br>
</body>
</html>

Attachment Content-Type Size
unknown_filename text/html 5.1 KB

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Shaozhong SHI 2021-11-30 16:30:27 How to reveal the codes of functions properly?
Previous Message Yi Sun 2021-11-30 13:53:06 ssl_crl_file Certificate Revocation List doesn't work for postgresql 11