| From: | "Frazer McLean" <frazer(at)frazermclean(dot)co(dot)uk> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Configuring ssl_crl_file |
| Date: | 2017-02-26 14:42:52 |
| Message-ID: | C5157FCB-26C3-42E8-8C71-17B83416E89D@frazermclean.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi,
I was trying to set up PostgreSQL to use a certificate revocation list
so I could revoke client certificates, but was unable to get it to work.
I was following [this tutorial][1] to create root and intermediate CA
certificates, then producing certificates for the PostgreSQL server and
client.
I have created a [Dockerfile][2] which shows the problem. The short
story is that with the CRL I’ve created in PEM format, a client
certificate is rejected with error “psql: SSL error: tlsv1 alert
unknown ca”. If I don’t set ssl_crl_file, the client certificate is
accepted.
I tested on 9.4-9.6. I tried to find examples about using ssl_crl_file
but wasn’t able to find anything. I found [this message][3] from 2014
without any replies.
[1]:
https://jamielinux.com/docs/openssl-certificate-authority/index.html
[2]: https://github.com/RazerM/postgres_crl_test
[3]: https://postgrespro.com/list/thread-id/1163456
Kind regards,
Frazer McLean
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Geoff Winkless | 2017-02-26 15:56:22 | Re: ERROR: functions in index expression must be marked IMMUTABLE |
| Previous Message | Rich Shepard | 2017-02-26 13:44:48 | Re: New 9.6.2 installation lacks /usr/lib/postgresql/ [RESOLVED] |