Please, always CC: the list in your replies!
Vitaliyi wrote:
> > - Did you put the same thing in root.crt on both client and server?
>
> yes
>
> > - Does root.crt contain a self signed certificate?
>
> yes
>
> > - Does root.crt contain the certificate that was used to
> sign server.crt and postgresql.crt?
>
> yes
>
> > - Are there any SSL messages in the server log file
> immediately after server startup?
>
>
> LOG: SSL certificate revocation list file "root.crl" not found,
> skipping: no SSL error reported
> DETAIL: Certificates will not be checked against revocation list.
>
> don't know where it looking for "root.crl", but it is in directory
> with root.crt and server.key, server.crt
That should be harmless...
Let me reexamine your original mail:
> generating another key on server:
[...]
> signing on CA:
> openssl req -x509 -in server.req -text -key our.key -out server.crt
That's the problem, I think.
With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").
What you need is a certificate signed by root.crt.
You can do it like this:
openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt
See if that gets rid of the message!
Yours,
Laurenz Albe
