Re: Cert verify failed on client side after renewal of certs

Поиск
Список
Период
Сортировка
От Adalkonda Harshad
Тема Re: Cert verify failed on client side after renewal of certs
Дата
Msg-id 54225529.1020507@gmail.com
обсуждение исходный текст
Ответ на Re: Cert verify failed on client side after renewal of certs  (Axel Rau <Axel.Rau@Chaos1.DE>)
Ответы [RESOLVED]Re: Cert verify failed on client side after renewal of certs  (Axel Rau <Axel.Rau@Chaos1.DE>)
Список pgsql-admin
Дерево обсуждения

On 23-09-2014 19:21, Axel Rau wrote:
The problem below disappears if I remove client key and cert from ~/.postgresql, just keeping root.crt.
Which subject CN or Subject alternate name should I use with the client cert?
User name or FQDN of client host comes into mind. Docs are unclear in that point.

Axel

Am 18.09.2014 um 22:57 schrieb Axel Rau <Axel.Rau@chaos1.de>:


Hi all,

I’m getting	psql: SSL error: certificate verify failed 
after renewing server and client certs.
Both certs are validated ok by openssl:
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem
/usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK
- - -
openssl verify -verbose -CAfile ca_cert.pem -purpose sslclient db1.in.chaos1.de_server_cert.pem
db1.in.chaos1.de_server_cert.pem: OK
- - -
x509 extensions of server cert are
- - -           X509v3 Subject Key Identifier:                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B           X509v3 Basic Constraints: critical               CA:FALSE           X509v3 Key Usage: critical               Digital Signature, Key Encipherment           X509v3 Extended Key Usage: critical               TLS Web Server Authentication           X509v3 Subject Alternative Name: critical               DNS:some.host, DNS:another host
- - -
and of client cert
- - -           X509v3 Subject Key Identifier:                E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B           X509v3 Basic Constraints: critical               CA:FALSE           X509v3 Key Usage: critical               Digital Signature           X509v3 Extended Key Usage: critical               TLS Web Client Authentication           X509v3 Subject Alternative Name: critical               DNS:some.host, DNS:another host
- - -
How can this be?
What am I doing wrong?

Axel
PS: This is still this issue:	http://article.gmane.org/gmane.comp.db.postgresql.admin/38559
—
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius



-- 
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius
The CN should be User name of the database from which client is going to login.
--

Harshad Adalkonda 
Database Administrator

Office: +919552687400/8400
http://www.shreeyansh.com

Вложения

В списке pgsql-admin по дате отправления:

Предыдущее
От: David G Johnston
Дата:
Сообщение: Re: format() function with string_agg
Следующее
От: Rajesh Madiwale
Дата:
Сообщение: Re: Clarification on pg_basebackup