SSL root.crt read problem for Postgres 8.4 - Mailing list pgsql-novice

From Michael Swierczek
Subject SSL root.crt read problem for Postgres 8.4
Date
Msg-id 68b5b5880907231200y467a67a2q3ab1cf013c529db0@mail.gmail.com
Whole thread Raw
List pgsql-novice
We're running PostgreSQL 8.3.5 on Windows in production (and it's a
spectacular piece of software) and we have 8.3.5 and 8.4 on Windows in
our testing environments.  I've created a Certificate Authority
root.crt root certificate (internal to the company) and used it to
sign a server.key and server.crt file.   All of the openssl commands I
ran (using openssl on Cygwin) to create a key used -newkey rsa:2048 as
an option.   The resulting root.crt file and server.crt file can (and
have) been installed in the normal Windows certificate store - so at
least Windows Vista finds the format acceptable.

In PostgreSQL 8.3.5, I modified postgresql.conf and set ssl=on and
ssl_ciphers = ALL.  I modified pg_hba.conf to have all of the
connections as "hostssl all all 192.168._._/16 md5".  (obviously
replacing _._ with the IP of each machine that could connect).   I put
root.crt, server.key, and server.crt into the 8.3.5 data directory.
When I restart the pgsql-8.3 service, it starts fine.  I can connect
normally through SSL with psql, pgAdmin3, and JDBC from any of the
allowed pg_hba entries.

On the exact same server, I stop PostgreSQL 8.3.5 (pgsql-8.3 service).
 I copy the same pg_hba.conf and postgresql.conf settings to the
PostgreSQL 8.4 installation.  I copy the same root.crt, server.key,
and server.crt files into the PostgreSQL 8.4 data directory.  I have
used both Windows Explorer and Cygwin "ls -l" and "getacl" commands to
verify that the permissions are identical.  When I try to start the
PostgreSQL 8.4 service, it takes a long time and then reports that it
did not start.  The Event Viewer has an error message "EDTFATAL: could
not load root certificate file "root.crt": Input/output error"

Any ideas?
Thanks.

-Mike

pgsql-novice by date:

Previous
From: "Net Tree Inc."
Date:
Subject: Load Balance
Next
From: Michael Swierczek
Date:
Subject: Re: Setting up security for development