Re: SSL Certificates in Postgres 9.3 and Windows 7 - Mailing list pgsql-general

Quoting original message to try and show file contents...


harpagornis wrote
> I am trying to implement SSL certificates with postgres 9.3 locally in
> Windows 7.  In Windows Component Services / Local Services, postrgres is
> configured to start automatically, with Log On as a local system account.
>
> Using my Windows administrator account, in a command prompt inside my data
> folder, when I execute postgres -D . , I get the message, "Redirecting
> logging output to the logging collector service."   I also get this error
> message in my log file:
>
> 2014-11-09 03:05:13 GMT LOG:  client certificates can only be checked if a
> root certificate store is available
> 2014-11-09 03:05:13 GMT HINT:  Make sure the configuration parameter
> "ssl_ca_file" is set.
> 2014-11-09 03:05:13 GMT CONTEXT:  line 2 of configuration file
> "D:/PostgresDat/pg_hba.conf"
> 2014-11-09 03:05:13 GMT FATAL:  could not load pg_hba.conf
>
> When I try to connect in PgAdminIII I get the error message, "Server isn't
> listening"  What am I doing wrong?  Right now, just for development
> purposes, do I need to have a root certificate?  I tried unsuccessfully to
> create one with makecert but couldn't get the flags and options right.
>
>
> I followed the postgres & openssl documentation for creating the
> privkey.pem, server.req, server.key and server.crt files, ie.:
>
> 1.     openssl genrsa –out privkey.pem 2048
> 2.     openssl req -new -key privkey.pem -out server.req –config
> "D:\openssl\v9.8\openssl.cnf”
> 3.     openssl rsa -in privkey.pem -out server.key openssl req -x509 -in
> server.req -text -key server.key -out server.crt  -config
> "D:\openssl\v9.8\openssl.cnf”
>
>
> This is the entire pg_hba.conf file:
>
>
> # TYPE  DATABASE   USER    ADDRESS    METHOD
> hostssl  all   all     127.0.0.1/32   cert  clientcert=1
> hostssl  postgres   postgres   ::1/128   trust
> #hostssl  all   all     ::1/128        cert  clientcert=1
>
> Also, which of those last two lines in the pg_hba.conf file should I be
> using to require SSL certificates for all postgres accounts?  Is it even
> possible to require a SSL certificate for the postgres account?
>
> This the entire postgresql.conf file:
>
> listen_addresses = '*'
> port = 5432                # (change requires restart)
> max_connections = 100            # (change requires restart)
> # - Security and Authentication -
> ssl = on                # (change requires restart)
> ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'    # allowed SSL ciphers
> ssl_renegotiation_limit = 512MB    # amount of data between renegotiations
> ssl_cert_file = 'server.crt'    # (change requires restart)
> ssl_key_file = 'server.key'        # (change requires restart)
> #ssl_ca_file = 'root.crt'
> password_encryption = on
> shared_buffers = 128MB            # min 128kB
>
> # ERROR REPORTING AND LOGGING
> # - Where to Log -
> log_destination = 'stderr'
> # This is used when logging to stderr:
> logging_collector = on    # Enable capturing of stderr and csvlog
>                     # into log files. Required to be on for
>                     # csvlogs.
>                     # (change requires restart)
> log_line_prefix = '%t '    # special values:
>
> # - Locale and Formatting -
> datestyle = 'iso, mdy'
> timezone = 'US/Central'
> lc_messages = 'English_United States.1252'        # locale for system error
> message
> lc_monetary = 'English_United States.1252'        # locale for monetary
> formatting
> lc_numeric = 'English_United States.1252'            # locale for number formatting
> lc_time = 'English_United States.1252'            # locale for time formatting
>
> # default configuration for text search
> default_text_search_config = 'pg_catalog.english'
>
> Thank you for all comments and suggestions.

David J.



--
View this message in context:
http://postgresql.1045698.n5.nabble.com/SSL-Certificates-in-Postgres-9-3-and-Windows-7-tp5826230p5826247.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.