[RESOLVED]Re: Cert verify failed on client side after renewal of certs

Axel Rau <Axel.Rau@xxxxxxxxx> · Wed, 24 Sep 2014 11:00:05 +0200

Am 24.09.2014 um 07:22 schrieb Adalkonda Harshad <adalkondaharshad@xxxxxxxxx>:

    On 23-09-2014 19:21, Axel Rau wrote:

      The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@xxxxxxxxx>:

        Hi all,

I’m getting
	psql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -
           X509v3 Subject Key Identifier: 
               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Extended Key Usage: critical
               TLS Web Server Authentication
           X509v3 Subject Alternative Name: critical
               DNS:some.host, DNS:another host
- - -
and of client cert
- - -
           X509v3 Subject Key Identifier: 
               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 Key Usage: critical
               Digital Signature
           X509v3 Extended Key Usage: critical
               TLS Web Client Authentication
           X509v3 Subject Alternative Name: critical
               DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:
	http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
Thanks for your answer.

The CN should be User name of the database from which client is
    going to login.
According to the docs, this is required with authentication by client cert (AbCC), which I did not use.
I created a cert with db user name as CN and no subject alternate name (SAN) and this solved my problem!
There should really be a hint in the docs that SSL does not work with client certs containing one or more SANs.

Now the next question: If I switch to AbCC, how can I configure more than one db user per login?

Thanks, Axel

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius