Re: Windows default directory for client certificates

Поиск
Список
Период
Сортировка
От Lupi Loop
Тема Re: Windows default directory for client certificates
Дата
Msg-id CAPn209JMw3_nPUEBZCkpLHGXtsCX_Ra+f6QR411bhoBXX+dUbw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Windows default directory for client certificates  (Albe Laurenz <laurenz.albe@wien.gv.at>)
Список pgsql-general
Дерево обсуждения
Thank you very much for your answer Laurenz, I was storing the client certificates in PGDATA (C:\Program Files\PostgreSQL\9.5\data\) instead of in APPDATA (C:\Users\XXX\AppData\Roaming).

Problem solved.

Thank you



2016-03-09 11:45 GMT+01:00 Albe Laurenz <laurenz.albe@wien.gv.at>:
Lupi Loop wrote:
> PostgreSQL documentation at http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
> says that when a client certificate is requested by a server, a windows client psql will use by
> default the credentials  located at %APPDATA%\postgresql\postgresql.crt and
> %APPDATA%\postgresql\postgresql.key
>
> However, my psql client application (v 9.5.0) in a Windows Server 2012 R2 cannot find the certificates
> in this location and only works when this location is specifically set using the sslcert and sslkey
> attributes when connecting. Is this a bug or am I using a wrong path?
>
> This an example of execution:
>
> -------------------------------------------
> C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql "postgresql://postgres@localhost/postgres"
> psql: FATAL:  connection requires a valid client certificate
> FATAL:  no pg_hba.conf entry for host "::1", user "postgres", database"postgres", SSL off
>
> C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql
> "postgresql://postgres@localhost/postgres?sslkey=postgresql\postgresql.key&sslcert=postgresql\postgres
> ql.crt"
> psql (9.5.0)
> SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384,bits: 256, compression: off)
> Type "help" for help.
> postgres=#
> --------------------------------
> cheers

To make this work, you will have to have a root certificate "root.crt" in the
server's data directory and the configuration parameter "ssl_ca_file" set to "root.crt".

The corresponding line in pg_hba.conf should look like this:
hostssl  <dbname>  <user>  <client IP>/32  md5 clientcert=1

Then you have to restart the server.
But I guess you have done that since it works if you specify the files explicitly.

Perhaps you are not in the %APPDATA% directory.
What do you get when you type
   echo %APPDATA%
on the command prompt?

One possibility to investigate this is to run "Process Monitor" and add the filters
"Process Name is psql.exe" and "Patch ends with postgresql.key".
Then you should see where psql looks for the client key.

Yours,
Laurenz Albe

В списке pgsql-general по дате отправления:

Предыдущее
От: Adam Brusselback
Дата:
Сообщение: Re: Plan to support predicate push-down into subqueries with aggregates?
Следующее
От: "David Bennett"
Дата:
Сообщение: Email address VERP problems (was RE: Does a call to a language handler provide a context/session, and somewhere to keep session data?