On 23-09-2014 19:21, Axel Rau wrote:
The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.
Axel
Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:
Hi all,
I’m getting psql: SSL error: certificate verify failed
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - - X509v3 Subject Key Identifier: E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Server Authentication X509v3 Subject Alternative Name: critical DNS:some.host, DNS:another host
- - -
and of client cert
- - - X509v3 Subject Key Identifier: E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical TLS Web Client Authentication X509v3 Subject Alternative Name: critical DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?
Axel
PS: This is still this issue: http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
—
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
The CN should be User name of the database from which client is going to login.