Search Postgresql Archives

Re: SSL auth problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vitaliyi wrote:
> I'm trying to setup SSL auth.
> 
> creating CA:
> 
> openssl genrsa -out our.key 2048
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt
> 
> then I copy root.crt on postgresql host and to client host in 
> ~/.postgresql
> 
> generating another key on server:
> 
> openssl genrsa -out server.key 2048
> then request for signing to CA:
> openssl req -new -key server.key -out server.req
> 
> signing on CA:
> 
> openssl req -x509 -in server.req -text -key our.key -out server.crt
> 
> now in postgresql data dir following files:
> 
> server.crt
> server.key
> root.crt
> and blank root.crl
> 
> on client host:
> 
> cd ~/.postgresql
> openssl genrsa -out postgresql.key 2048
> then signing with our.key on CA and placing postgresql.crt, root.crt
> to ~/.postgresql
> 
> 
> This is my picture of what is happening:
> 
> 1. we using our CA public key to generate root.crt:
> 
> root_signature = ca_pub_key**ca_priv_key % n
> 
> 2. on postgres server creating key-pair and signing public key on CA, receiving
> server_signature (server.crt):
> 
> server_signature = server_pub_key**root_priv_key % n
> 
> Client using server_signature before encrypting and sending message to server:
> 
> server_pub_key = server_signature**root_pub_key % n
> 
> if server_pub_key is valid then user encrypting message with server_pub_key.
> 
> 
> 3. Client generating his own key-pair and asking our CA to 
> sign his public key.
> 
> client_signature = client_pub_key**ca_priv_key % n
> 
> client_signature he writing to postgresql.crt, which server using when sending something
> to client:
> 
> client_pub_key = client_signature**root_pub_key % n
> 
> 
> If everything is correct, than why psql complaining:
> 
> psql "dbname=me sslmode=require host=postgres_server user=me"
> psql: SSL error: certificate verify failed
> 
> log on postgres_server:
> 
> postgres[98462]: [3-1] LOG:  could not accept SSL connection: tlsv1
> alert unknown ca

I could not follow completely, so let me ask:

- Did you put the same thing in root.crt on both client and server?
- Does root.crt contain a self signed certificate?
- Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt?
- Are there any SSL messages in the server log file immediately after server startup?

Yours,
Laurenz Albe


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux