[RESOLVED]Re: Cert verify failed on client side after renewal of certs

On 23-09-2014 19:21, Axel Rau wrote:

The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:

Hi all,

I’m gettingpsql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature, Key Encipherment          X509v3 Extended Key Usage: critical              TLS Web Server Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
and of client cert
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature          X509v3 Extended Key Usage: critical              TLS Web Client Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:http://article.gmane.org/gmane.comp.db.postgresql.admin/38559

Thanks for your answer.

The CN should be User name of the database from which client is going to login.

According to the docs, this is required with authentication by client cert (AbCC), which I did not use.

I created a cert with db user name as CN and no subject alternate name (SAN) and this solved my problem!

There should really be a hint in the docs that SSL does not work with client certs containing one or more SANs.

Now the next question: If I switch to AbCC, how can I configure more than one db user per login?

Thanks, Axel