A documentation comment came in recently about ssl-tcp.html not
specifying what format is expected for the CRL file. Seems like
something that could be described better now that I look at it, so I'm
passing that along with just wording edits from me; this is from user
"oneironautics":
The root.crl needs to be in PEM (and not DER) format. If a certificate
file exists but is the wrong type, you will be told it cannot find the
file when it exists, with this sort of error in the log:
LOG: SSL certificate revocation list file "root.crl" not found,
skipping: no SSL error reported
DETAIL: Certificates will not be checked against revocation list.
This error can be reported even though you have a root.crl file in
$PGDATA along with the private key and server/root certificates. A
quick check using openssl revealed that the unused CRL file in this
example was indeed in DER format. Converting the certificate to the PEM
format rectified the error:
cd $PGDATA
openssl crl -inform der -in root.crl -outform pem -out root-new.crl
mv root-new.crl root.crl