Vitaliyi wrote:
> I'm trying to setup SSL auth.
>
> creating CA:
>
> openssl genrsa -out our.key 2048
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt
>
> then I copy root.crt on postgresql host and to client host in
> ~/.postgresql
>
> generating another key on server:
>
> openssl genrsa -out server.key 2048
> then request for signing to CA:
> openssl req -new -key server.key -out server.req
>
> signing on CA:
>
> openssl req -x509 -in server.req -text -key our.key -out server.crt
>
> now in postgresql data dir following files:
>
> server.crt
> server.key
> root.crt
> and blank root.crl
>
> on client host:
>
> cd ~/.postgresql
> openssl genrsa -out postgresql.key 2048
> then signing with our.key on CA and placing postgresql.crt, root.crt
> to ~/.postgresql
>
>
> This is my picture of what is happening:
>
> 1. we using our CA public key to generate root.crt:
>
> root_signature = ca_pub_key**ca_priv_key % n
>
> 2. on postgres server creating key-pair and signing public key on CA, receiving
> server_signature (server.crt):
>
> server_signature = server_pub_key**root_priv_key % n
>
> Client using server_signature before encrypting and sending message to server:
>
> server_pub_key = server_signature**root_pub_key % n
>
> if server_pub_key is valid then user encrypting message with server_pub_key.
>
>
> 3. Client generating his own key-pair and asking our CA to
> sign his public key.
>
> client_signature = client_pub_key**ca_priv_key % n
>
> client_signature he writing to postgresql.crt, which server using when sending something
> to client:
>
> client_pub_key = client_signature**root_pub_key % n
>
>
> If everything is correct, than why psql complaining:
>
> psql "dbname=me sslmode=require host=postgres_server user=me"
> psql: SSL error: certificate verify failed
>
> log on postgres_server:
>
> postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1
> alert unknown ca
I could not follow completely, so let me ask:
- Did you put the same thing in root.crt on both client and server?
- Does root.crt contain a self signed certificate?
- Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt?
- Are there any SSL messages in the server log file immediately after server startup?
Yours,
Laurenz Albe