Re: Changed SSL Certificates - Mailing list pgsql-general
| From | Adrian Klaver |
|---|---|
| Subject | Re: Changed SSL Certificates |
| Date | |
| Msg-id | 4D9F4D93.3010605@gmail.com Whole thread Raw |
| In response to | Changed SSL Certificates (Carlos Mennens <carlos.mennens@gmail.com>) |
| Responses |
Re: Changed SSL Certificates
|
| List | pgsql-general |
On 04/08/2011 09:42 AM, Carlos Mennens wrote: > I had self signed SSL certificates on my database server but since > then removed them and received updated certificates from the security > team. I removed (backedup) the old server.crt& server.key and now > have db1_ssl.crt& db1_ssl.key in the identical location as the old > SSL certificates. I then went to /etc/postgres/8.4/main and removed > the old symbolic links for the old certificates and generated new > symbolic links: > > ln -s /etc/ssl/certs/db1_ssl.crt db1_ssl.crt > ln -s /etc/ssl/private/db1_ssl.key db1_ssl.key > > I then restarted PostgreSQL and got the following error: > > 2011-04-08 09:54:34 EDT FATAL: could not load server certificate file > "server.crt": No such file or directory > 2011-04-08 10:00:43 EDT FATAL: could not load server certificate file > "server.crt": No such file or directory > > I looked for anywhere else in /var/lib/postgres/& /etc/postgres/ but > can't find anything else that's calling the old certificates. I > changed the ownership on the certificates and symbolic links to either > root or postgres and nothing worked. It fails to start with the > following error: > > > root@db1:/# /etc/init.d/postgresql start > Starting PostgreSQL 8.4 database server: mainThe PostgreSQL server > failed to start. Please check the log output: 2011-04-08 12:36:54 EDT > FATAL: could not load server certificate file "server.crt": No such > file or directory ... failed! > > I checked the documentation page: > > http://www.postgresql.org/docs/8.4/static/libpq-ssl.html > > Table 30-4. Libpq/Client SSL File Usage > > File Contents Effect > ~/.postgresql/postgresql.crt client certificate requested by server > ~/.postgresql/postgresql.key client private key proves client > certificate sent by owner; does not indicate certificate owner is > trustworthy > ~/.postgresql/root.crt trusted certificate authorities checks server > certificate is signed by a trusted certificate authority > ~/.postgresql/root.crl certificates revoked by certificate > authorities server certificate must not be on this list > > Can anyone tell me what I'm doing wrong or missing here? I can't > disable SSL per DoD requirements sadly. Per here: http://www.postgresql.org/docs/8.4/static/ssl-tcp.html File Contents Effect server.crt server certificate requested by client server.key server private key proves server certificate sent by owner; does not indicate certificate owner is trustworthy root.crt trusted certificate authorities checks that client certificate is signed by a trusted certificate authority root.crl certificates revoked by certificate authorities client certificate must not be on this list Rename your certs to above. > > -Carlos > -- Adrian Klaver adrian.klaver@gmail.com
pgsql-general by date: