Re: Changed SSL Certificates

On Fri, Apr 8, 2011 at 1:42 PM, Carlos Mennens <carlos(dot)mennens(at)gmail(dot)com>wrote:

> I had self signed SSL certificates on my database server but since
> then removed them and received updated certificates from the security
> team. I removed (backedup) the old server.crt & server.key and now
> have db1_ssl.crt & db1_ssl.key in the identical location as the old
> SSL certificates. I then went to /etc/postgres/8.4/main and removed
> the old symbolic links for the old certificates and generated new
> symbolic links:
>
> ln -s /etc/ssl/certs/db1_ssl.crt db1_ssl.crt
> ln -s /etc/ssl/private/db1_ssl.key db1_ssl.key
>
> I then restarted PostgreSQL and got the following error:
>
> 2011-04-08 09:54:34 EDT FATAL: could not load server certificate file
> "server.crt": No such file or directory
> 2011-04-08 10:00:43 EDT FATAL: could not load server certificate file
> "server.crt": No such file or directory
>
> I looked for anywhere else in /var/lib/postgres/ & /etc/postgres/ but
> can't find anything else that's calling the old certificates. I
> changed the ownership on the certificates and symbolic links to either
> root or postgres and nothing worked. It fails to start with the
> following error:
>
>
> root(at)db1:/# /etc/init.d/postgresql start
> Starting PostgreSQL 8.4 database server: mainThe PostgreSQL server
> failed to start. Please check the log output: 2011-04-08 12:36:54 EDT
> FATAL: could not load server certificate file "server.crt": No such
> file or directory ... failed!
>
> I checked the documentation page:
>
> http://www.postgresql.org/docs/8.4/static/libpq-ssl.html
>
> Table 30-4. Libpq/Client SSL File Usage
>
> File Contents Effect
> ~/.postgresql/postgresql.crt client certificate requested by server
> ~/.postgresql/postgresql.key client private key proves client
> certificate sent by owner; does not indicate certificate owner is
> trustworthy
> ~/.postgresql/root.crt trusted certificate authorities checks server
> certificate is signed by a trusted certificate authority
> ~/.postgresql/root.crl certificates revoked by certificate
> authorities server certificate must not be on this list
>
> Can anyone tell me what I'm doing wrong or missing here? I can't
> disable SSL per DoD requirements sadly.
>
> -Carlos
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

Hi,

When linking to the certificate and key you should specify the full path.

ln -s /etc/ssl/certs/db1_ssl.crt /full/path/to/db1_ssl.crt
ln -s /etc/ssl/private/db1_ssl.key /full/path/to/db1_ssl.key

HTH,

diego