| From: | Grzegorz Szpetkowski <gszpetkowski(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: SSL root.crt not loading |
| Date: | 2011-04-25 18:12:56 |
| Message-ID: | BANLkTik+nkffwjq4q8X1GYJ+bV2ZcSaFxw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
I think that ssl mode is enabled by default in Ubuntu package and
there are snakeoil certs provided in data directory
(var/lib/postgresql/9.0/main):
lrwxrwxrwx 1 root root 36 2011-04-25 16:34 server.crt ->
/etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root 38 2011-04-25 16:34 server.key ->
/etc/ssl/private/ssl-cert-snakeoil.key
Since there is no root.crt in data directory postmaster fails to
start. I think that PostgreSQL can't "see" certs in config directory
(/etc/postgresql/9.0/main)
In Ubuntu package there is config directory and data directory, so I
think that OP should put certs to data dir, not config dir:
Regards,
Greg Szpetkowski
2011/4/25 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
> =?ISO-8859-1?Q?Marc-Andr=E9_Laverdi=E8re?= <marc-andre(at)atc(dot)tcs(dot)com> writes:
>>> My pg_hba.conf file is configured with this:
>>> hostssl all abc ::1/128 cert clientcert=1
>
>>> Yet I am unable to start the server. This is what I get on startup:
>
>>> $ sudo /etc/init.d/postgresql start 9.0
>>> * Starting PostgreSQL 9.0 database server
>>> * The PostgreSQL server failed to start. Please check the log output:
>>> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked
>>> if a root certificate store is available
>>> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present
>>> and readable.
>>> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file
>>> "/etc/postgresql/9.0/main/pg_hba.conf"
>>> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf
>
> Hmm, did you remember to set ssl = on in postgresql.conf? While
> experimenting I accidentally found out it will react like this if
> it finds clientcert=1 in pg_hba.conf but SSL wasn't enabled in
> postgresql.conf. Needless to say, that's not a very friendly error
> response --- will see about improving it.
>
> regards, tom lane
>
> --
> Sent via pgsql-novice mailing list (pgsql-novice(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-novice
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chetan Suttraway | 2011-04-26 06:16:19 | Re: Advise with a select statement |
| Previous Message | Tom Lane | 2011-04-25 16:40:36 | Re: SSL root.crt not loading |