On 28 Feb 2017, at 21:51, Bruce Momjian wrote:
> I have researched this and will post a blog and and document the fix
> in
> the next few months. The reason you have to supply the entire
> certificate chain to the root CA on the client is because you have not
> used the "-extensions v3_ca" flag to openssl when creating the CA x509
> request. You have to mark the certificates as CAs so they are passed
> from the server to the client. You are looking for the CA
> certificates
> to say:
>
> X509v3 Basic Constraints:
> CA:TRUE
>
My `ca.cert.pem` file has
X509v3 Basic Constraints: critical
CA:TRUE
The `intermediate.cert.pem` has
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
This intermediate cert was generated using the `v3_intermediate_ca`
extension defined in [1]. I wouldn’t expect *not* to have to give the
full certificate chain to the client, since both were created by me.
To summarise my problem and solution: the connection worked fine until
`ssl_crl_file` was enabled. I was trying to use a CRL generated from the
intermediate CA, assuming PostgreSQL would trust it since it knows about
the full CA chain in `ssl_ca_file`. Apparently, it must be a CRL
generated from the root concatenated to a CRL generated from the
intermediate, and then it works.
[1]:
https://github.com/RazerM/postgres_crl_test/blob/dd9ef3ac4dd74d1cdfc6403899a09d954fd9622a/intermediate-config.txt#L99
Kind regards,
Frazer McLean
