Craig, all,
* Craig Ringer (craig@2ndquadrant.com) wrote:
> PROBLEM VERIFIED
Let me just say "ugh". I've long wondered why we have things set up in
such a way that the whole chain has to be in one file, but it didn't
occur to me that it'd actually end up causing this issue. In some ways,
I really wonder about this being OpenSSL's fault as much as ours, but I
doubt they'd see it that way. :)
> What we need to happen instead is for root.crt to contain only the
> trusted certificates and have a *separate* file or directory for
> intermediate certificates that OpenSSL can look up to get the
> intermediates it needs to validate client certs, like
> `ssl_ca_chain_file` or `ssl_ca_chain_path` if we want to support
> OpenSSL's hashed certificate directories.
Makes sense to me. I'm not particular about the names, but isn't this
set of CAs generally considered intermediary? Eg: 'trusted', '
intermediate', etc?
Thanks,
Stephen