| From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Vitaliyi *EXTERN*" <imgrey(at)gmail(dot)com> |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: SSL auth problem |
| Date: | 2008-05-16 11:46:44 |
| Message-ID: | D960CB61B694CF459DCFB4B0128514C2021DDC6F@exadv11.host.magwien.gv.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Please, always CC: the list in your replies!
Vitaliyi wrote:
> > - Did you put the same thing in root.crt on both client and server?
>
> yes
>
> > - Does root.crt contain a self signed certificate?
>
> yes
>
> > - Does root.crt contain the certificate that was used to
> sign server.crt and postgresql.crt?
>
> yes
>
> > - Are there any SSL messages in the server log file
> immediately after server startup?
>
>
> LOG: SSL certificate revocation list file "root.crl" not found,
> skipping: no SSL error reported
> DETAIL: Certificates will not be checked against revocation list.
>
> don't know where it looking for "root.crl", but it is in directory
> with root.crt and server.key, server.crt
That should be harmless...
Let me reexamine your original mail:
> generating another key on server:
[...]
> signing on CA:
> openssl req -x509 -in server.req -text -key our.key -out server.crt
That's the problem, I think.
With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").
What you need is a certificate signed by root.crt.
You can do it like this:
openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt
See if that gets rid of the message!
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vitaliyi | 2008-05-16 12:32:13 | Re: SSL auth problem |
| Previous Message | Linsong GUO | 2008-05-16 11:34:56 | Re: psql proxy |