| From: | John Scalia <jayknowsunix(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: SSL certificate revocation file will not load |
| Date: | 2017-06-14 21:55:22 |
| Message-ID: | 68DC7C40-A815-4F80-924A-45C07A463D55@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Well, it turned out that the CRL was in the wrong format. So, I managed to convert it with OpenSSL and it loaded properly. I do have one more question... the Treasury Department, which produces these certificates for us, expires all the CRL's in just 6 hours, so does that mean I'd have to do restart on the database each time I got a new one or would a reload work?
Sent from my iPad
> On Jun 14, 2017, at 4:50 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> John Scalia <jayknowsunix(at)gmail(dot)com> writes:
>> I've got SSL working without the crl file, but when I set ssl_crl_file to
>> use the one I have, it says FATAL on a restart and no SSL error reported.
>> This is not very helpful.
>
> Did you look into the postmaster log? Experimenting with an intentionally
> corrupted CRL file here, I get log messages along the lines of
>
> 2017-06-14 16:45:15.096 EDT [22759] LOG: parameter "ssl_crl_file" changed to "root+client.crl"
> 2017-06-14 16:45:15.102 EDT [22759] LOG: could not load SSL certificate revocation list file "root+client.crl": bad base64 decode
>
> The actually useful part of that comes out of OpenSSL, and we don't have
> a lot of control about how specific it is ... but there should be
> *something*.
>
> regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2017-06-14 22:07:02 | Re: SSL certificate revocation file will not load |
| Previous Message | Tom Lane | 2017-06-14 20:50:25 | Re: SSL certificate revocation file will not load |