Thread: Refresh Postgres SSL certs?
Hello,
In light of the "Heartbleed" OpenSSL bug[0,1], I'm wondering if I need
to regenerate the SSL certs on my postgres installations[2] (at least
the ones listening on more than localhost)? On Ubuntu it looks like
there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key}
pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any
documentation on how to regenerate these? Are they self-signed? Can I
replace them with my own self-signed certs, like I'd do with Apache or
Nginx?
Thanks!
Paul
[0] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
[1] http://heartbleed.com/
[2] http://www.postgresql.org/docs/9.1/static/ssl-tcp.html
--
_________________________________
Pulchritudo splendor veritatis.
On Wed, Apr 09, 2014 at 12:28:14PM -0700, Paul Jungwirth wrote:
> Hello,
>
> In light of the "Heartbleed" OpenSSL bug[0,1], I'm wondering if I need
> to regenerate the SSL certs on my postgres installations[2] (at least
> the ones listening on more than localhost)? On Ubuntu it looks like
> there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key}
> pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any
> documentation on how to regenerate these? Are they self-signed? Can I
> replace them with my own self-signed certs, like I'd do with Apache or
> Nginx?
Have you read the Debian README?
/usr/share/doc/postgresql-*/README.Debian.gz
It talks about how the certificates are made. It uses the ssl-cert
package to make them, there's more docs there.
Yes, you can make your own self-signed certs and use them.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
-- Arthur Schopenhauer
Attachment
> Have you read the Debian README? > /usr/share/doc/postgresql-*/README.Debian.gz Thank you for pointing me to that file. From /etc/share/doc/ssl-cert/README it sounds like the old snakeoil cert is already self-signed, so that's promising. So I take it that psql and the postgres client library won't object to a self-signed cert. Do they do any kind of certificate pinning or other caching of the old cert? Or can I just replace the cert, restart the postgres server, and be done? Thanks, Paul -- _________________________________ Pulchritudo splendor veritatis.
On Wed, Apr 09, 2014 at 12:59:53PM -0700, Paul Jungwirth wrote: > > Have you read the Debian README? > > /usr/share/doc/postgresql-*/README.Debian.gz > > Thank you for pointing me to that file. From > /etc/share/doc/ssl-cert/README it sounds like the old snakeoil cert is > already self-signed, so that's promising. So I take it that psql and > the postgres client library won't object to a self-signed cert. Do > they do any kind of certificate pinning or other caching of the old > cert? Or can I just replace the cert, restart the postgres server, and > be done? No pinning, no caching. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer