Thread: Cert verify failed on client side after renewal of certs

Cert verify failed on client side after renewal of certs

From

Axel Rau

Date:

18 September 2014, 23:57:18

Hi all,

I’m getting
    psql: SSL error: certificate verify failed
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -
            X509v3 Subject Key Identifier:
                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: critical
                DNS:some.host, DNS:another host
- - -
and of client cert
- - -
            X509v3 Subject Key Identifier:
                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication
            X509v3 Subject Alternative Name: critical
                DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:
    http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
—
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Cert verify failed on client side after renewal of certs

From

Axel Rau

Date:

23 September 2014, 16:51:24

The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:

> Hi all,
>
> I’m getting
>     psql: SSL error: certificate verify failed
> after renewing server and client certs.
> Both certs are validated ok by openssl:
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
> /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
> - - -
> openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
> db1.in.chaos1.de_server_cert.pem: OK
> - - -
> x509 extensions of server cert are
> - - -
>            X509v3 Subject Key Identifier:
>                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Key Usage: critical
>                Digital Signature, Key Encipherment
>            X509v3 Extended Key Usage: critical
>                TLS Web Server Authentication
>            X509v3 Subject Alternative Name: critical
>                DNS:some.host, DNS:another host
> - - -
> and of client cert
> - - -
>            X509v3 Subject Key Identifier:
>                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Key Usage: critical
>                Digital Signature
>            X509v3 Extended Key Usage: critical
>                TLS Web Client Authentication
>            X509v3 Subject Alternative Name: critical
>                DNS:some.host, DNS:another host
> - - -
> How can this be?
> What am I doing wrong?
>
> Axel
> PS: This is still this issue:
>     http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
> —
> PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius
>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Cert verify failed on client side after renewal of certs

From

Adalkonda Harshad

Date:

24 September 2014, 08:23:05

On 23-09-2014 19:21, Axel Rau wrote:

The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:

Hi all,

I’m getting	psql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -           X509v3 Subject Key Identifier:                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B           X509v3 Basic Constraints: critical               CA:FALSE           X509v3 Key Usage: critical               Digital Signature, Key Encipherment           X509v3 Extended Key Usage: critical               TLS Web Server Authentication           X509v3 Subject Alternative Name: critical               DNS:some.host, DNS:another host
- - -
and of client cert
- - -           X509v3 Subject Key Identifier:                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B           X509v3 Basic Constraints: critical               CA:FALSE           X509v3 Key Usage: critical               Digital Signature           X509v3 Extended Key Usage: critical               TLS Web Client Authentication           X509v3 Subject Alternative Name: critical               DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:	http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
—
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius



-- 
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

The CN should be User name of the database from which client is going to login.

Harshad Adalkonda
Database Administrator
harshad.adalkonda@shreeyansh.com

Office: +919552687400/8400
http://www.shreeyansh.com

Attachment

[RESOLVED]Re: Cert verify failed on client side after renewal of certs

From

Axel Rau

Date:

24 September 2014, 12:00:18

Am 24.09.2014 um 07:22 schrieb Adalkonda Harshad <adalkondaharshad@gmail.com>:

On 23-09-2014 19:21, Axel Rau wrote:

The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:

Hi all,

I’m gettingpsql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature, Key Encipherment          X509v3 Extended Key Usage: critical              TLS Web Server Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
and of client cert
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature          X509v3 Extended Key Usage: critical              TLS Web Client Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:http://article.gmane.org/gmane.comp.db.postgresql.admin/38559

Thanks for your answer.

The CN should be User name of the database from which client is going to login.

According to the docs, this is required with authentication by client cert (AbCC), which I did not use.

I created a cert with db user name as CN and no subject alternate name (SAN) and this solved my problem!

There should really be a hint in the docs that SSL does not work with client certs containing one or more SANs.

Now the next question: If I switch to AbCC, how can I configure more than one db user per login?

Thanks, Axel

---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius