Re: Cert verify failed on client side after renewal of certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@xxxxxxxxx>:

> Hi all,
> 
> I’m getting
> 	psql: SSL error: certificate verify failed 
> after renewing server and client certs.
> Both certs are validated ok by openssl:
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
> /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
> db1.in.chaos1.de_server_cert.pem: OK
> - - -
> x509 extensions of server cert are
> - - -
>            X509v3 Subject Key Identifier: 
>                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Key Usage: critical
>                Digital Signature, Key Encipherment
>            X509v3 Extended Key Usage: critical
>                TLS Web Server Authentication
>            X509v3 Subject Alternative Name: critical
>                DNS:some.host, DNS:another host
> - - -
> and of client cert
> - - -
>            X509v3 Subject Key Identifier: 
>                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Key Usage: critical
>                Digital Signature
>            X509v3 Extended Key Usage: critical
>                TLS Web Client Authentication
>            X509v3 Subject Alternative Name: critical
>                DNS:some.host, DNS:another host
> - - -
> How can this be?
> What am I doing wrong?
> 
> Axel
> PS: This is still this issue:
> 	http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
> —
> PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius
> 
> 
> 
> -- 
> Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius



-- 
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux