[RESOLVED]Re: Cert verify failed on client side after renewal of certs

Поиск
Список
Период
Сортировка
От Axel Rau
Тема [RESOLVED]Re: Cert verify failed on client side after renewal of certs
Дата
Msg-id 06C16AEB-4CAA-42BE-8F23-C0573F710429@Chaos1.DE
обсуждение исходный текст
Ответ на Re: Cert verify failed on client side after renewal of certs  (Adalkonda Harshad <adalkondaharshad@gmail.com>)
Список pgsql-admin
Дерево обсуждения

Am 24.09.2014 um 07:22 schrieb Adalkonda Harshad <adalkondaharshad@gmail.com>:


On 23-09-2014 19:21, Axel Rau wrote:
The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:


Hi all,

I’m gettingpsql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature, Key Encipherment          X509v3 Extended Key Usage: critical              TLS Web Server Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
and of client cert
- - -          X509v3 Subject Key Identifier:               E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B          X509v3 Basic Constraints: critical              CA:FALSE          X509v3 Key Usage: critical              Digital Signature          X509v3 Extended Key Usage: critical              TLS Web Client Authentication          X509v3 Subject Alternative Name: critical              DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
Thanks for your answer.

The CN should be User name of the database from which client is going to login.
According to the docs, this is required with authentication by client cert (AbCC), which I did not use.
I created a cert with db user name as CN and no subject alternate name (SAN) and this solved my problem!
There should really be a hint in the docs that SSL does not work with client certs containing one or more SANs.

Now the next question: If I switch to AbCC, how can I configure more than one db user per login?

Thanks, Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

В списке pgsql-admin по дате отправления:

Предыдущее
От: gparc@free.fr
Дата:
Сообщение: Re: Clarification on pg_basebackup
Следующее
От:
Дата:
Сообщение: Out of shared memory while creating a backup with pg_dump