Thread: SSL auth problem

SSL auth problem

Good Day

I'm trying to setup SSL auth.

creating CA:

openssl genrsa -out our.key 2048
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt

then I copy root.crt on postgresql host and to client host in ~/.postgresql

generating another key on server:

openssl genrsa -out server.key 2048
then request for signing to CA:
openssl req -new -key server.key -out server.req

signing on CA:

openssl req -x509 -in server.req -text -key our.key -out server.crt

now in postgresql data dir following files:

and blank root.crl

on client host:

cd ~/.postgresql
openssl genrsa -out postgresql.key 2048
then signing with our.key on CA and placing postgresql.crt, root.crt
to ~/.postgresql

This is my picture of what is happening:

1. we using our CA public key to generate root.crt:

root_signature = ca_pub_key**ca_priv_key % n

2. on postgres server creating key-pair and signing public key on CA, receiving
server_signature (server.crt):

server_signature = server_pub_key**root_priv_key % n

Client using server_signature before encrypting and sending message to server:

server_pub_key = server_signature**root_pub_key % n

if server_pub_key is valid then user encrypting message with server_pub_key.

3. Client generating his own key-pair and asking our CA to sign his public key.

client_signature = client_pub_key**ca_priv_key % n

client_signature he writing to postgresql.crt, which server using when
sending something
to client:

client_pub_key = client_signature**root_pub_key % n

If everything is correct, than why psql complaining:

psql "dbname=me sslmode=require host=postgres_server user=me"
psql: SSL error: certificate verify failed

log on postgres_server:

postgres[98462]: [3-1] LOG:  could not accept SSL connection: tlsv1
alert unknown ca

P.S. postgres-8.2 on freebsd
postgresql-client-8.2 on debian

Re: SSL auth problem

"Albe Laurenz"
Vitaliyi wrote:
> I'm trying to setup SSL auth.
> creating CA:
> openssl genrsa -out our.key 2048
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt
> then I copy root.crt on postgresql host and to client host in
> ~/.postgresql
> generating another key on server:
> openssl genrsa -out server.key 2048
> then request for signing to CA:
> openssl req -new -key server.key -out server.req
> signing on CA:
> openssl req -x509 -in server.req -text -key our.key -out server.crt
> now in postgresql data dir following files:
> server.crt
> server.key
> root.crt
> and blank root.crl
> on client host:
> cd ~/.postgresql
> openssl genrsa -out postgresql.key 2048
> then signing with our.key on CA and placing postgresql.crt, root.crt
> to ~/.postgresql
> This is my picture of what is happening:
> 1. we using our CA public key to generate root.crt:
> root_signature = ca_pub_key**ca_priv_key % n
> 2. on postgres server creating key-pair and signing public key on CA, receiving
> server_signature (server.crt):
> server_signature = server_pub_key**root_priv_key % n
> Client using server_signature before encrypting and sending message to server:
> server_pub_key = server_signature**root_pub_key % n
> if server_pub_key is valid then user encrypting message with server_pub_key.
> 3. Client generating his own key-pair and asking our CA to
> sign his public key.
> client_signature = client_pub_key**ca_priv_key % n
> client_signature he writing to postgresql.crt, which server using when sending something
> to client:
> client_pub_key = client_signature**root_pub_key % n
> If everything is correct, than why psql complaining:
> psql "dbname=me sslmode=require host=postgres_server user=me"
> psql: SSL error: certificate verify failed
> log on postgres_server:
> postgres[98462]: [3-1] LOG:  could not accept SSL connection: tlsv1
> alert unknown ca

I could not follow completely, so let me ask:

- Did you put the same thing in root.crt on both client and server?
- Does root.crt contain a self signed certificate?
- Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt?
- Are there any SSL messages in the server log file immediately after server startup?

Laurenz Albe

Re: SSL auth problem

"Albe Laurenz"
Please, always CC: the list in your replies!

Vitaliyi wrote:
> > - Did you put the same thing in root.crt on both client and server?
> yes
> > - Does root.crt contain a self signed certificate?
> yes
> > - Does root.crt contain the certificate that was used to
> sign server.crt and postgresql.crt?
> yes
> > - Are there any SSL messages in the server log file
> immediately after server startup?
> LOG:  SSL certificate revocation list file "root.crl" not found,
> skipping: no SSL error reported
> DETAIL:  Certificates will not be checked against revocation list.
> don't know where it looking for "root.crl", but it is in directory
> with root.crt and server.key, server.crt

That should be harmless...

Let me reexamine your original mail:

> generating another key on server:
> signing on CA:
> openssl req -x509 -in server.req -text -key our.key -out server.crt

That's the problem, I think.

With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").

What you need is a certificate signed by root.crt.

You can do it like this:

openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt

See if that gets rid of the message!

Laurenz Albe

Re: SSL auth problem

>> don't know where it looking for "root.crl", but it is in directory
>> with root.crt and server.key, server.crt
> That should be harmless...

removed root.crl. the same effect

> Let me reexamine your original mail:
>> generating another key on server:
> [...]
>> signing on CA:
>> openssl req -x509 -in server.req -text -key our.key -out server.crt
> That's the problem, I think.

> With this statement you generate a self signed certificate from server.req
> (check with "openssl x509 -in server.crt -text -noout").
> What you need is a certificate signed by root.crt.
> You can do it like this:
> openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt
> See if that gets rid of the message!

another error appeared:

psql: SSL error: sslv3 alert bad certificate

so I started from beginning:
on CA:
openssl genrsa -out our.key 2048

creating self-signed serificate:
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt

copied root.crt to client and postgres server

on server:
openssl genrsa -out server.key 2048

on CA:
openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out server.crt

on client:
openssl genrsa -out postgresql.key 2048
openssl req -new -key postgresql.key -out cl.req

on CA:
openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out postgresql.crt

files on client host:
postgresql.crt (signed by CA, -- root.crt)
postgresql.key (client private and public keys)

files on postgresql server:
server.key (priv and pub keys)
server.crt (signed by root CA)

stopped postgresql and started again

on client:

psql "dbname=me sslmode=require host=postgresql_host user=me"
psql: SSL error: sslv3 alert bad certificate

on server in logs:
postgres[29299]: [3-1] LOG:  could not accept SSL connection: no
certificate returned

where I was wrong? : (

Re: SSL auth problem

"Albe Laurenz"
Vitaliyi wrote:
> another error appeared:
> psql: SSL error: sslv3 alert bad certificate
> so I started from beginning:
> on CA:
> openssl genrsa -out our.key 2048
> creating self-signed serificate:
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt

It does not cause an error, but omit -text.

> copied root.crt to client and postgres server
> on server:
> openssl genrsa -out server.key 2048

You forgot here:
openssl req -new -key server.key -out /tmp/server.req

> on CA:
> openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out server.crt
> on client:
> openssl genrsa -out postgresql.key 2048
> openssl req -new -key postgresql.key -out cl.req
> on CA:
> openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out postgresql.crt
> files on client host:
> postgresql.crt (signed by CA, -- root.crt)
> postgresql.key (client private and public keys)

Did you make sure that postgresql.key has permissions 0600?

> root.crt
> files on postgresql server:
> server.key (priv and pub keys)

Did you make sure that server.key has permissions 0600?

> server.crt (signed by root CA)
> root.crt
> stopped postgresql and started again
> on client:
> psql "dbname=me sslmode=require host=postgresql_host user=me"
> psql: SSL error: sslv3 alert bad certificate

That means, I guess, that the client does not like its certificate files.

Check that they are ok, with something like

openssl x509 -noout -dates -issuer -subject -in root.crt
openssl x509 -noout -text -in root.crt

Same for root.crt.

Laurenz Albe

SSL auth problem

> It does not cause an error, but omit -text.


 > Did you make sure that postgresql.key has permissions 0600?

of course. otherwise it shows warning

 >> files on postgresql server:
 >> server.key (priv and pub keys)
 > Did you make sure that server.key has permissions 0600?


 >> psql: SSL error: sslv3 alert bad certificate
 > That means, I guess, that the client does not like its certificate files.
 > Check that they are ok, with something like
 > openssl x509 -noout -dates -issuer -subject -in root.crt
 > or
 > openssl x509 -noout -text -in root.crt
 > Same for root.crt.

%openssl x509 -noout -dates -issuer -subject -in postgresql.crt

 notBefore=May 16 13:55:49 2008 GMT
 notAfter=Jun 15 13:55:49 2008 GMT
 issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=
 subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty

 %openssl x509 -noout -dates -issuer -subject -in root.crt
 notBefore=May 16 13:49:57 2008 GMT
 notAfter=Jun 15 13:49:57 2008 GMT
 issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=
 subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=

 btw, the same:

psql: SSL error: sslv3 alert bad certificate

postgres[29563]: [3-1] LOG:  could not accept SSL connection: no
 certificate returned

Re: SSL auth problem

"Albe Laurenz"
Vitaliyi wrote:
> %openssl x509 -noout -dates -issuer -subject -in postgresql.crt
>  notBefore=May 16 13:55:49 2008 GMT
>  notAfter=Jun 15 13:55:49 2008 GMT
>  issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=
>  subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty
>  Ltd/CN=localhost/
>  %openssl x509 -noout -dates -issuer -subject -in root.crt
>  notBefore=May 16 13:49:57 2008 GMT
>  notAfter=Jun 15 13:49:57 2008 GMT
>  issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=
>  subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=
>  btw, the same:
> psql: SSL error: sslv3 alert bad certificate
> postgres[29563]: [3-1] LOG:  could not accept SSL connection: no
>  certificate returned

Could you also check the key files with

openssl rsa -in postgresql.key


openssl rsa -in server.key

and server.crt as you did above?

If they are all ok, I don't know what could be causing the error.

All that is obvious from the error message is that the client side
complains that a certificate is not ok (don't know if client, server or CA

One last straw: is it between May 16 and June 15 on both machines involved?

Laurenz Albe