Postgres Pro
Downloads
Home   >   mailing lists

[RESOLVED]Re: Cert verify failed on client side after renewal of certs - Mailing list pgsql-admin

From Axel Rau
Subject [RESOLVED]Re: Cert verify failed on client side after renewal of certs
Date
Msg-id 06C16AEB-4CAA-42BE-8F23-C0573F710429@Chaos1.DE
Whole thread Raw
In response to Re: Cert verify failed on client side after renewal of certs  (Adalkonda Harshad <adalkondaharshad@gmail.com>)
List pgsql-admin
Tree view

Am 24.09.2014 um 07:22 schrieb Adalkonda Harshad <adalkondaharshad@gmail.com>:


On 23-09-2014 19:21, Axel Rau wrote:
The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:


Hi all,

I’m gettingpsql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature, Key Encipherment          X509v3 Extended Key Usage: critical              TLS Web Server Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
and of client cert
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature          X509v3 Extended Key Usage: critical              TLS Web Client Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
Thanks for your answer.

The CN should be User name of the database from which client is going to login.
According to the docs, this is required with authentication by client cert (AbCC), which I did not use.
I created a cert with db user name as CN and no subject alternate name (SAN) and this solved my problem!
There should really be a hint in the docs that SSL does not work with client certs containing one or more SANs.

Now the next question: If I switch to AbCC, how can I configure more than one db user per login?

Thanks, Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

pgsql-admin by date:

Previous
From: gparc@free.fr
Date:
Subject: Re: Clarification on pg_basebackup
Next
From:
Date:
Subject: Out of shared memory while creating a backup with pg_dump