could not accept SSL connection: sslv3 alert bad certificate

From: Marco Ippolito <ippolito(dot)marco(at)gmail(dot)com>
To: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: could not accept SSL connection: sslv3 alert bad certificate
Date: 2019-09-25 19:34:19
Message-ID: CAFegzBQf-TH3BqWcL2MTq8hPyE3NLsHt6-LSLQLfYPeLu7tRdQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Following the indications here:
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#configuring-the-database
I'm trying to understand how to correctly set Fabric-CA with a
PostgreSQL-11 database in Ubuntu 18.04.02 Server Edition.

I created a postgresql-11 db to which I can connect with SSL:

(base) marco(at)pc:~$ psql --cluster 11/fabmnet -h 127.0.0.1 -d fabmnetdb
-U fabmnet_admin
Password for user fabmnet_admin:
psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384,
bits: 256, compression: off)
Type "help" for help.

fabmnetdb=> \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access
privileges

-----------+---------------+----------+---------+---------+-----------------------
fabmnetdb | fabmnet_admin | UTF8 | C.UTF-8 | C.UTF-8 |
postgres | postgres | UTF8 | C.UTF-8 | C.UTF-8 |
template0 | postgres | UTF8 | C.UTF-8 | C.UTF-8 | =c/postgres
+
| | | | |
postgres=CTc/postgres
template1 | postgres | UTF8 | C.UTF-8 | C.UTF-8 | =c/postgres
+
| | | | |
postgres=CTc/postgres
(4 rows)

fabmnetdb=>

but when trying to start a fabric-ca-server :

(base) marco(at)pc:~/fabric/fabric-ca$ fabric-ca-server start -b
admin:adminpw
2019/09/25 20:56:57 [INFO] Configuration file location:
/home/marco/fabric
/fabric-ca/fabric-ca-server-config.yaml
2019/09/25 20:56:57 [INFO] Starting server in home directory:
/home/marco
/fabric/fabric-ca
2019/09/25 20:56:57 [INFO] Server Version: 1.4.4
2019/09/25 20:56:57 [INFO] Server Levels: &{Identity:2 Affiliation:1
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/25 20:56:57 [INFO] The CA key and certificate already exist
2019/09/25 20:56:57 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/25 20:56:57 [INFO] The certificate is at: /home/marco/fabric
/fabric-ca/ca-cert.pem
2019/09/25 20:56:57 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/25 20:56:57 [WARNING] Failed to connect to database 'postgres'
2019/09/25 20:56:57 [WARNING] Failed to connect to database 'template1'
2019/09/25 20:56:57 [ERROR] Error occurred initializing database:
Failed
to connect to Postgres database. Postgres requires connecting to a
specific database, the following databases were tried: [fabmnetdb
postgres
template1]. Please create one of these database before continuing
2019/09/25 20:56:57 [INFO] Home directory for default CA: /home/marco
/fabric/fabric-ca
2019/09/25 20:56:57 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/25 20:56:57 [INFO] Listening on http://0.0.0.0:7054

This is the corresponding part in
/var/log/postgresql/postgresql-11-fabmnet.log :

2019-09-25 20:51:52.655 CEST [1096] LOG: listening on IPv6 address
"::1",
port 5433
2019-09-25 20:51:52.673 CEST [1096] LOG: listening on IPv4 address
"127.0.0.1", port 5433
2019-09-25 20:51:52.701 CEST [1096] LOG: listening on Unix socket
"/var/run/postgresql/.s.PGSQL.5433"
2019-09-25 20:51:52.912 CEST [1171] LOG: database system was
interrupted;
last known up at 2019-09-25 09:50:30 CEST
2019-09-25 20:51:53.001 CEST [1171] LOG: database system was not
properly
shut down; automatic recovery in progress
2019-09-25 20:51:53.011 CEST [1171] LOG: redo starts at 0/1668238
2019-09-25 20:51:53.011 CEST [1171] LOG: invalid record length at
0/1668318: wanted 24, got 0
2019-09-25 20:51:53.011 CEST [1171] LOG: redo done at 0/16682E0
2019-09-25 20:51:53.043 CEST [1096] LOG: database system is ready to
accept connections
2019-09-25 20:51:53.569 CEST [1206] [unknown](at)[unknown] LOG:
incomplete
startup packet
2019-09-25 20:56:57.540 CEST [4620] [unknown](at)[unknown] LOG: could not
accept SSL connection: sslv3 alert bad certificate
2019-09-25 20:56:57.543 CEST [4622] [unknown](at)[unknown] LOG: could not
accept SSL connection: sslv3 alert bad certificate
2019-09-25 20:56:57.544 CEST [4623] [unknown](at)[unknown] LOG: could not
accept SSL connection: sslv3 alert bad certificate

This is how I set the pg_hba.conf file in the fabmnet postgresql cluster :

(base) marco(at)pc:~$ sudo -su postgres
(base) postgres(at)pc:~$ nano /etc/postgresql/11/fabmnet/pg_hba.conf
Unable to create directory /home/marco/.local/share/nano/: Permission
denied
It is required for saving/loading search history or cursor positions.

Press Enter to continue

# TYPE DATABASE USER ADDRESS METHOD

# Database administrative login by Unix domain socket
local all postgres peer

# TYPE DATABASE USER ADDRESS METHOD

# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5

# Allow connections from 10.1.2.0/24 subnet only to fabric_ca_db for
fabric_ca_user
hostssl fabmnetdb fabmnet_admin 10.1.2.0/24 cert

# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5

And this is the db's configuration in (base) marco(at)pc:~$ nano
./fabric/fabric-ca/fabric-ca-
server-config.yaml :

db:
type: postgres
datasource: host=localhost port=5433 user=fabmnet_admin password=pwd
dbname=fabmnetdb
sslmode=verify-full

How to correctly set up SSL connection to PostgresSQL-11 db?

Looking forward to your kind help
Marco

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Adrian Klaver 2019-09-25 19:50:33 Re: Operator is not unique
Previous Message Adrian Klaver 2019-09-25 18:33:43 Re: managing primary key conflicts while restoring data to table with existing data