Vitaliyi wrote: > I'm trying to setup SSL auth. > > creating CA: > > openssl genrsa -out our.key 2048 > openssl req -new -key our.key -out our.req > openssl req -x509 -in our.req -text -key our.key -out root.crt > > then I copy root.crt on postgresql host and to client host in > ~/.postgresql > > generating another key on server: > > openssl genrsa -out server.key 2048 > then request for signing to CA: > openssl req -new -key server.key -out server.req > > signing on CA: > > openssl req -x509 -in server.req -text -key our.key -out server.crt > > now in postgresql data dir following files: > > server.crt > server.key > root.crt > and blank root.crl > > on client host: > > cd ~/.postgresql > openssl genrsa -out postgresql.key 2048 > then signing with our.key on CA and placing postgresql.crt, root.crt > to ~/.postgresql > > > This is my picture of what is happening: > > 1. we using our CA public key to generate root.crt: > > root_signature = ca_pub_key**ca_priv_key % n > > 2. on postgres server creating key-pair and signing public key on CA, receiving > server_signature (server.crt): > > server_signature = server_pub_key**root_priv_key % n > > Client using server_signature before encrypting and sending message to server: > > server_pub_key = server_signature**root_pub_key % n > > if server_pub_key is valid then user encrypting message with server_pub_key. > > > 3. Client generating his own key-pair and asking our CA to > sign his public key. > > client_signature = client_pub_key**ca_priv_key % n > > client_signature he writing to postgresql.crt, which server using when sending something > to client: > > client_pub_key = client_signature**root_pub_key % n > > > If everything is correct, than why psql complaining: > > psql "dbname=me sslmode=require host=postgres_server user=me" > psql: SSL error: certificate verify failed > > log on postgres_server: > > postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1 > alert unknown ca I could not follow completely, so let me ask: - Did you put the same thing in root.crt on both client and server? - Does root.crt contain a self signed certificate? - Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt? - Are there any SSL messages in the server log file immediately after server startup? Yours, Laurenz Albe
