Postgres Pro
Downloads
Home   >   mailing lists

Re: Cert verify failed on client side after renewal of certs - Mailing list pgsql-admin

From Axel Rau
Subject Re: Cert verify failed on client side after renewal of certs
Date
Msg-id 74256716-042C-45E6-A2F2-09B0D0D34666@Chaos1.DE
Whole thread Raw
In response to Cert verify failed on client side after renewal of certs  (Axel Rau <Axel.Rau@chaos1.de>)
Responses Re: Cert verify failed on client side after renewal of certs
List pgsql-admin
Tree view 
The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:

> Hi all,
>
> I’m getting
>     psql: SSL error: certificate verify failed
> after renewing server and client certs.
> Both certs are validated ok by openssl:
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
> /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
> db1.in.chaos1.de_server_cert.pem: OK
> - - -
> x509 extensions of server cert are
> - - -
>            X509v3 Subject Key Identifier:
>                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Key Usage: critical
>                Digital Signature, Key Encipherment
>            X509v3 Extended Key Usage: critical
>                TLS Web Server Authentication
>            X509v3 Subject Alternative Name: critical
>                DNS:some.host, DNS:another host
> - - -
> and of client cert
> - - -
>            X509v3 Subject Key Identifier:
>                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Key Usage: critical
>                Digital Signature
>            X509v3 Extended Key Usage: critical
>                TLS Web Client Authentication
>            X509v3 Subject Alternative Name: critical
>                DNS:some.host, DNS:another host
> - - -
> How can this be?
> What am I doing wrong?
>
> Axel
> PS: This is still this issue:
>     http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
> —
> PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius
>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

pgsql-admin by date:

Previous
From: jayknowsunix@gmail.com
Date:
Subject: Re: Removing a Database Server
Next
From: "Campbell, Lance"
Date:
Subject: Clarification on pg_basebackup