Search Postgresql Archives

Re: Changed SSL Certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 8, 2011 at 1:42 PM, Carlos Mennens <carlos.mennens@xxxxxxxxx> wrote:
I had self signed SSL certificates on my database server but since
then removed them and received updated certificates from the security
team. I removed (backedup) the old server.crt & server.key and now
have db1_ssl.crt & db1_ssl.key in the identical location as the old
SSL certificates. I then went to /etc/postgres/8.4/main and removed
the old symbolic links for the old certificates and generated new
symbolic links:

ln -s /etc/ssl/certs/db1_ssl.crt db1_ssl.crt
ln -s /etc/ssl/private/db1_ssl.key db1_ssl.key

I then restarted PostgreSQL and got the following error:

2011-04-08 09:54:34 EDT FATAL:  could not load server certificate file
"server.crt": No such file or directory
2011-04-08 10:00:43 EDT FATAL:  could not load server certificate file
"server.crt": No such file or directory

I looked for anywhere else in /var/lib/postgres/ & /etc/postgres/ but
can't find anything else that's calling the old certificates. I
changed the ownership on the certificates and symbolic links to either
root or postgres and nothing worked. It fails to start with the
following error:


root@db1:/# /etc/init.d/postgresql start
Starting PostgreSQL 8.4 database server: mainThe PostgreSQL server
failed to start. Please check the log output: 2011-04-08 12:36:54 EDT
FATAL: could not load server certificate file "server.crt": No such
file or directory ... failed!

I checked the documentation page:

http://www.postgresql.org/docs/8.4/static/libpq-ssl.html

Table 30-4. Libpq/Client SSL File Usage

File    Contents        Effect
~/.postgresql/postgresql.crt    client certificate      requested by server
~/.postgresql/postgresql.key    client private key      proves client
certificate sent by owner; does not indicate certificate owner is
trustworthy
~/.postgresql/root.crt  trusted certificate authorities checks server
certificate is signed by a trusted certificate authority
~/.postgresql/root.crl  certificates revoked by certificate
authorities     server certificate must not be on this list

Can anyone tell me what I'm doing wrong or missing here? I can't
disable SSL per DoD requirements sadly.

-Carlos

--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Hi,

When linking to the certificate and key you should specify the full path.

ln -s /etc/ssl/certs/db1_ssl.crt      /full/path/to/db1_ssl.crt
ln -s /etc/ssl/private/db1_ssl.key   /full/path/to/db1_ssl.key

HTH,

diego
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux