Quick Links

Re: Cert verify failed on client side after renewal of certs

From:	Axel Rau <Axel(dot)Rau(at)Chaos1(dot)DE>
To:	pgsql-admin(at)postgresql(dot)org
Subject:	Re: Cert verify failed on client side after renewal of certs
Date:	2014-09-23 13:51:11
Message-ID:	74256716-042C-45E6-A2F2-09B0D0D34666@Chaos1.DE
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-admin

The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel(dot)Rau(at)chaos1(dot)de>:

> Hi all,
>
> I’m getting
> psql: SSL error: certificate verify failed
> after renewing server and client certs.
> Both certs are validated ok by openssl:
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
> /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
> db1.in.chaos1.de_server_cert.pem: OK
> - - -
> x509 extensions of server cert are
> - - -
> X509v3 Subject Key Identifier:
> E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage: critical
> TLS Web Server Authentication
> X509v3 Subject Alternative Name: critical
> DNS:some.host, DNS:another host
> - - -
> and of client cert
> - - -
> X509v3 Subject Key Identifier:
> E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Key Usage: critical
> Digital Signature
> X509v3 Extended Key Usage: critical
> TLS Web Client Authentication
> X509v3 Subject Alternative Name: critical
> DNS:some.host, DNS:another host
> - - -
> How can this be?
> What am I doing wrong?
>
> Axel
> PS: This is still this issue:
> http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
> —
> PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius

In response to

Cert verify failed on client side after renewal of certs at 2014-09-18 20:57:08 from Axel Rau

Responses

Re: Cert verify failed on client side after renewal of certs at 2014-09-24 05:22:49 from Adalkonda Harshad

Browse pgsql-admin by date

	From	Date	Subject
Next Message	Campbell, Lance	2014-09-23 15:17:23	Clarification on pg_basebackup
Previous Message	jayknowsunix	2014-09-22 19:37:02	Re: Removing a Database Server