SSL root.crt not loading

Hello everyone,

I'm a postgres n00b and I'm trying to configure my installation to work
with certificate authentication.

It is not working for me, and it seems that the sysadmin community
doesn't have any hints for me either :(

I am reposting my question on ServerFault in hopes that a psql guru will
read it (see
http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading)

I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am
using OpenSSL 0.9.8o.

I have generated keys and certificates using TinyCA2 for both a pg
server and the psql client. I essentially followed the instructions.

My pg_hba.conf file is configured with this:
hostssl all    abc      ::1/128          cert        clientcert=1

I have put the root certificate generated by TinyCA along with the
server's certificate and key in the DATA directory as follows.

sudo unzip database_server.zip
sudo mv sudo mv cacert.pem root.crt
sudo mv cert.pem server.crt
sudo openssl rsa -in key.pem -out server.key
sudo chmod 0600 server.key
sudo chmod ga=r root.crt
sudo chown postgres:postgres root.crt server.key server.crt

Yet I am unable to start the server. This is what I get on startup:

$ sudo /etc/init.d/postgresql start 9.0
* Starting PostgreSQL 9.0 database server
* The PostgreSQL server failed to start. Please check the log output:
  2011-03-17 16:39:13 IST LOG:  client certificates can only be checked
if a root certificate store is available
  2011-03-17 16:39:13 IST HINT:  Make sure the root.crt file is present
and readable.
  2011-03-17 16:39:13 IST CONTEXT:  line 93 of configuration file
"/etc/postgresql/9.0/main/pg_hba.conf"
  2011-03-17 16:39:13 IST FATAL:  could not load pg_hba.conf

Interestingly, the root.crt file is very much present and readable:

$ ll
<snip>
-rw-r--r-- 1 postgres postgres  143 2010-12-01 17:06 pg_ctl.conf
-rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf
-rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf
-rw-r--r-- 1 postgres postgres  18K 2011-02-07 18:38 postgresql.conf
-rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt
-rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt
-rw------- 1 postgres postgres  891 2011-03-17 16:18 server.key
-rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted

What is going on? What do I have to do for this certificate to load???

--
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India