Well, it turned out that the CRL was in the wrong format. So, I managed to convert it with OpenSSL and it loaded properly. I do have one more question... the Treasury Department, which produces these certificates for us, expires all the CRL's in just 6 hours, so does that mean I'd have to do restart on the database each time I got a new one or would a reload work? Sent from my iPad > On Jun 14, 2017, at 4:50 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > > John Scalia <jayknowsunix@xxxxxxxxx> writes: >> I've got SSL working without the crl file, but when I set ssl_crl_file to >> use the one I have, it says FATAL on a restart and no SSL error reported. >> This is not very helpful. > > Did you look into the postmaster log? Experimenting with an intentionally > corrupted CRL file here, I get log messages along the lines of > > 2017-06-14 16:45:15.096 EDT [22759] LOG: parameter "ssl_crl_file" changed to "root+client.crl" > 2017-06-14 16:45:15.102 EDT [22759] LOG: could not load SSL certificate revocation list file "root+client.crl": bad base64 decode > > The actually useful part of that comes out of OpenSSL, and we don't have > a lot of control about how specific it is ... but there should be > *something*. > > regards, tom lane -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
