Thread: SAST FATAL: could not access private key file "server.key"

SAST FATAL: could not access private key file "server.key"

From
"Dave Coventry"
Date:
When starting Postgres I get the following:


root@Admin:/home/it# /etc/init.d/postgresql-8.2 start
 * Starting PostgreSQL 8.2 database server
          * The PostgreSQL server failed to start. Please check the
log output:
2008-07-01 13:37:39 SAST FATAL:  could not access private key file
"server.key": Permission denied

What is the "server key"?

And how do I make it accessible?

Re: SAST FATAL: could not access private key file "server.key"

From
Bill Moran
Date:
In response to "Dave Coventry" <dgcoventry@gmail.com>:

> When starting Postgres I get the following:
>
>
> root@Admin:/home/it# /etc/init.d/postgresql-8.2 start
>  * Starting PostgreSQL 8.2 database server
>           * The PostgreSQL server failed to start. Please check the
> log output:
> 2008-07-01 13:37:39 SAST FATAL:  could not access private key file
> "server.key": Permission denied
>
> What is the "server key"?
>
> And how do I make it accessible?

This covers your question:
http://www.postgresql.org/docs/8.3/static/ssl-tcp.html

I would guess that your key file is owned by root and only readable by
root and that PostgreSQL is running as the postgres user and thus can't
read the file.  But that's just speculation.

--
Bill Moran
Collaborative Fusion Inc.
http://people.collaborativefusion.com/~wmoran/

wmoran@collaborativefusion.com
Phone: 412-422-3463x4023

Re: SAST FATAL: could not access private key file "server.key"

From
"A. Kretschmer"
Date:
am  Tue, dem 01.07.2008, um 14:05:29 +0200 mailte Dave Coventry folgendes:
> When starting Postgres I get the following:
>
>
> root@Admin:/home/it# /etc/init.d/postgresql-8.2 start
>  * Starting PostgreSQL 8.2 database server
>           * The PostgreSQL server failed to start. Please check the
> log output:
> 2008-07-01 13:37:39 SAST FATAL:  could not access private key file
> "server.key": Permission denied
>
> What is the "server key"?

The SSL-Key.


>
> And how do I make it accessible?

Please read the docu:
http://www.postgresql.org/docs/current/static/ssl-tcp.html


Andreas
--
Andreas Kretschmer
Kontakt:  Heynitz: 035242/47150,   D1: 0160/7141639 (mehr: -> Header)
GnuPG-ID:   0x3FFF606C, privat 0x7F4584DA   http://wwwkeys.de.pgp.net

Re: SAST FATAL: could not access private key file "server.key"

From
Glyn Astill
Date:
Sounds like your using an ssl connection and it's looking for an openssl key, you need to make sure it's installed and
you'vegenerated a csr... 



----- Original Message ----
> From: Dave Coventry <dgcoventry@gmail.com>
> To: pgsql-general@postgresql.org
> Sent: Tuesday, 1 July, 2008 1:05:29 PM
> Subject: [GENERAL] SAST FATAL: could not access private key file "server.key"
>
> When starting Postgres I get the following:
>
>
> root@Admin:/home/it# /etc/init.d/postgresql-8.2 start
> * Starting PostgreSQL 8.2 database server
>           * The PostgreSQL server failed to start. Please check the
> log output:
> 2008-07-01 13:37:39 SAST FATAL:  could not access private key file
> "server.key": Permission denied
>
> What is the "server key"?
>
> And how do I make it accessible?
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general



      __________________________________________________________
Not happy with your email address?.
Get the one you really want - millions of new email addresses available now at Yahoo!
http://uk.docs.yahoo.com/ymail/new.html

Re: SAST FATAL: could not access private key file "server.key"

From
"Albe Laurenz"
Date:
Dave Coventry wrote:
> When starting Postgres I get the following:
>
>
> root@Admin:/home/it# /etc/init.d/postgresql-8.2 start
>  * Starting PostgreSQL 8.2 database server
>           * The PostgreSQL server failed to start. Please check the log output:
> 2008-07-01 13:37:39 SAST FATAL:  could not access private key file
> "server.key": Permission denied
>
> What is the "server key"?
>
> And how do I make it accessible?

If you don't need SSL, set 'ssl=off' in postgresql.conf.
If you want SSL,
1) read the manual on SSL support
   http://www.postgresql.org/docs/8.3/static/ssl-tcp.html
2) Is there a file server.key? If yes, make it readable to the
   postgres user. If not, create it as documented.

Yours,
Laurenz Albe

Re: SAST FATAL: could not access private key file "server.key"

From
"Dave Coventry"
Date:
On Tue, Jul 1, 2008 at 5:52 PM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
> If you don't need SSL, set 'ssl=off' in postgresql.conf.
> If you want SSL,
> 1) read the manual on SSL support
>   http://www.postgresql.org/docs/8.3/static/ssl-tcp.html
> 2) Is there a file server.key? If yes, make it readable to the
>   postgres user. If not, create it as documented.

Hi Albe, thanks very much for helping me here...

Here is the contents of my /var/lib/postgresql/8.2/main/ :

root@Admin:/var/lib/postgresql/8.2/main# ls -l
total 9
drwx------ 7 postgres postgres 168 2008-06-29 11:27 base
drwx------ 2 postgres postgres 768 2008-06-30 13:01 global
drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_clog
drwx------ 4 postgres postgres  96 2008-06-24 09:37 pg_multixact
drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_subtrans
drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_tblspc
drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_twophase
-rw------- 1 postgres postgres   4 2008-06-24 09:37 PG_VERSION
drwx------ 3 postgres postgres 120 2008-06-24 09:37 pg_xlog
-rw------- 1 postgres postgres 125 2008-06-30 08:59 postmaster.opts
lrwxrwxrwx 1 root     root      31 2008-06-24 09:37 root.crt ->
/etc/postgresql-common/root.crt
lrwxrwxrwx 1 root     root      36 2008-06-24 09:37 server.crt ->
/etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root     root      38 2008-06-24 09:37 server.key ->
/etc/ssl/private/ssl-cert-snakeoil.key

'server.key' seems to be writable to all and sundry, although the file
it is linked to (ssl-cert-snakeoil.key) is not:


root@Admin:/etc/ssl/private# ls -l
total 4
-rw------- 1 root ssl-cert 887 2008-06-11 12:18 ssl-cert-snakeoil.key

Re: SAST FATAL: could not access private key file "server.key"

From
"Albe Laurenz"
Date:
Dave Coventry wrote:
>> If you want SSL,
>> 2) Is there a file server.key? If yes, make it readable to the
>>   postgres user. If not, create it as documented.
>
> Here is the contents of my /var/lib/postgresql/8.2/main/ :
>
> root@Admin:/var/lib/postgresql/8.2/main# ls -l
> total 9
> drwx------ 7 postgres postgres 168 2008-06-29 11:27 base
> drwx------ 2 postgres postgres 768 2008-06-30 13:01 global
> drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_clog
> drwx------ 4 postgres postgres  96 2008-06-24 09:37 pg_multixact
> drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_subtrans
> drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_tblspc
> drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_twophase
> -rw------- 1 postgres postgres   4 2008-06-24 09:37 PG_VERSION
> drwx------ 3 postgres postgres 120 2008-06-24 09:37 pg_xlog
> -rw------- 1 postgres postgres 125 2008-06-30 08:59 postmaster.opts
> lrwxrwxrwx 1 root     root      31 2008-06-24 09:37 root.crt ->
> /etc/postgresql-common/root.crt
> lrwxrwxrwx 1 root     root      36 2008-06-24 09:37 server.crt ->
> /etc/ssl/certs/ssl-cert-snakeoil.pem
> lrwxrwxrwx 1 root     root      38 2008-06-24 09:37 server.key ->
> /etc/ssl/private/ssl-cert-snakeoil.key
>
> 'server.key' seems to be writable to all and sundry, although the file
> it is linked to (ssl-cert-snakeoil.key) is not:
>
>
> root@Admin:/etc/ssl/private# ls -l
> total 4
> -rw------- 1 root ssl-cert 887 2008-06-11 12:18 ssl-cert-snakeoil.key

You will need to give postgres read permission to /etc/ssl/private/ssl-cert-snakeoil.key
This also means to give 'traverse directory' (x) permissions
on all the directories in the path to user postgres.

You can test it by becoming user postgres and trying to 'cat' the file.

Was it you who set up the system like that?
Maybe there are good reasons why the key file is only accessible by root.
Maybe you shouldn't use this file as your server key.
But these are considerations beyond my view here.

Yours,
Laurenz Albe

Re: SAST FATAL: could not access private key file "server.key"

From
"Dave Coventry"
Date:
On Wed, Jul 2, 2008 at 5:13 PM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
> If you don't care, you could
> 1) remove the symbolic link.
> 2) copy the key file to server.key in the PostgreSQL directory.
> 3) chown the copy of the file.

Okay, I'll do that.

> Do you need SSL support at all?
> If not, just disable it and all your troubles are gone.

Well, not at the moment, I'll try that as a last resort.

> If "it worked before", then somebody must have changed something
> in the meantime. Since it must have been root, you should be able
> to track down who or what it was.

Well, I'm the only person who was using it as root, so it must've been
something I've done, dammit!

> Many people posted the link to the documentation.
>
> Read and enjoy!

Yes, I've had a look at it, and have tried to follow instructions
therein, but I'm not sure I understand it.

> PS: It is better to CC the list.

Oh, sorry! I'm a member of several lists, and some default the reply
to the list and some to the poster; I keep forgetting which is which!