Please, always CC: the list in your replies! Vitaliyi wrote: > > - Did you put the same thing in root.crt on both client and server? > > yes > > > - Does root.crt contain a self signed certificate? > > yes > > > - Does root.crt contain the certificate that was used to > sign server.crt and postgresql.crt? > > yes > > > - Are there any SSL messages in the server log file > immediately after server startup? > > > LOG: SSL certificate revocation list file "root.crl" not found, > skipping: no SSL error reported > DETAIL: Certificates will not be checked against revocation list. > > don't know where it looking for "root.crl", but it is in directory > with root.crt and server.key, server.crt That should be harmless... Let me reexamine your original mail: > generating another key on server: [...] > signing on CA: > openssl req -x509 -in server.req -text -key our.key -out server.crt That's the problem, I think. With this statement you generate a self signed certificate from server.req (check with "openssl x509 -in server.crt -text -noout"). What you need is a certificate signed by root.crt. You can do it like this: openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt See if that gets rid of the message! Yours, Laurenz Albe
