I found a solution to the problem, which I’l send here to help those
who find the original email via search.
The intermediate CRL file must be concatenated to CRL files going back
to the root CA.
On 26 Feb 2017, at 15:42, Frazer McLean wrote:
Hi,
I was trying to set up PostgreSQL to use a certificate revocation list
so I could revoke client certificates, but was unable to get it to
work.
I was following [this tutorial][1] to create root and intermediate CA
certificates, then producing certificates for the PostgreSQL server
and client.
I have created a [Dockerfile][2] which shows the problem. The short
story is that with the CRL I’ve created in PEM format, a client
certificate is rejected with error “psql: SSL error: tlsv1 alert
unknown ca”. If I don’t set ssl_crl_file, the client certificate
is accepted.
I tested on 9.4-9.6. I tried to find examples about using ssl_crl_file
but wasn’t able to find anything. I found [this message][3] from
2014 without any replies.
[1]:
https://jamielinux.com/docs/openssl-certificate-authority/index.html
[2]: https://github.com/RazerM/postgres_crl_test
[3]: https://postgrespro.com/list/thread-id/1163456
Kind regards,
Frazer McLean
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
