Vitaliyi wrote: > another error appeared: > > psql: SSL error: sslv3 alert bad certificate > > so I started from beginning: > on CA: > openssl genrsa -out our.key 2048 > > creating self-signed serificate: > openssl req -new -key our.key -out our.req > openssl req -x509 -in our.req -text -key our.key -out root.crt It does not cause an error, but omit -text. > copied root.crt to client and postgres server > > on server: > openssl genrsa -out server.key 2048 You forgot here: openssl req -new -key server.key -out /tmp/server.req > on CA: > openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key > -CAcreateserial -out server.crt > > on client: > openssl genrsa -out postgresql.key 2048 > openssl req -new -key postgresql.key -out cl.req > > on CA: > openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key > -CAcreateserial -out postgresql.crt > > files on client host: > postgresql.crt (signed by CA, -- root.crt) > postgresql.key (client private and public keys) Did you make sure that postgresql.key has permissions 0600? > root.crt > > files on postgresql server: > server.key (priv and pub keys) Did you make sure that server.key has permissions 0600? > server.crt (signed by root CA) > root.crt > > stopped postgresql and started again > > on client: > > psql "dbname=me sslmode=require host=postgresql_host user=me" > psql: SSL error: sslv3 alert bad certificate That means, I guess, that the client does not like its certificate files. Check that they are ok, with something like openssl x509 -noout -dates -issuer -subject -in root.crt or openssl x509 -noout -text -in root.crt Same for root.crt. Yours, Laurenz Albe
