>> don't know where it looking for "root.crl", but it is in directory >> with root.crt and server.key, server.crt > > That should be harmless... removed root.crl. the same effect > Let me reexamine your original mail: > >> generating another key on server: > [...] >> signing on CA: >> openssl req -x509 -in server.req -text -key our.key -out server.crt > > That's the problem, I think. > With this statement you generate a self signed certificate from server.req > (check with "openssl x509 -in server.crt -text -noout"). > > What you need is a certificate signed by root.crt. > > You can do it like this: > > openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt > > See if that gets rid of the message! another error appeared: psql: SSL error: sslv3 alert bad certificate so I started from beginning: on CA: openssl genrsa -out our.key 2048 creating self-signed serificate: openssl req -new -key our.key -out our.req openssl req -x509 -in our.req -text -key our.key -out root.crt copied root.crt to client and postgres server on server: openssl genrsa -out server.key 2048 on CA: openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key -CAcreateserial -out server.crt on client: openssl genrsa -out postgresql.key 2048 openssl req -new -key postgresql.key -out cl.req on CA: openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key -CAcreateserial -out postgresql.crt files on client host: postgresql.crt (signed by CA, -- root.crt) postgresql.key (client private and public keys) root.crt files on postgresql server: server.key (priv and pub keys) server.crt (signed by root CA) root.crt stopped postgresql and started again on client: psql "dbname=me sslmode=require host=postgresql_host user=me" psql: SSL error: sslv3 alert bad certificate on server in logs: postgres[29299]: [3-1] LOG: could not accept SSL connection: no certificate returned where I was wrong? : (
