Friday, May 16, 2008

Re: [GENERAL] SSL auth problem

Please, always CC: the list in your replies!

Vitaliyi wrote:
> > - Did you put the same thing in root.crt on both client and server?
>
> yes
>
> > - Does root.crt contain a self signed certificate?
>
> yes
>
> > - Does root.crt contain the certificate that was used to
> sign server.crt and postgresql.crt?
>
> yes
>
> > - Are there any SSL messages in the server log file
> immediately after server startup?
>
>
> LOG: SSL certificate revocation list file "root.crl" not found,
> skipping: no SSL error reported
> DETAIL: Certificates will not be checked against revocation list.
>
> don't know where it looking for "root.crl", but it is in directory
> with root.crt and server.key, server.crt

That should be harmless...

Let me reexamine your original mail:

> generating another key on server:
[...]
> signing on CA:
> openssl req -x509 -in server.req -text -key our.key -out server.crt

That's the problem, I think.

With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").

What you need is a certificate signed by root.crt.

You can do it like this:

openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt

See if that gets rid of the message!

Yours,
Laurenz Albe

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

No comments: