Vitaliyi wrote:
> another error appeared:
>
> psql: SSL error: sslv3 alert bad certificate
>
> so I started from beginning:
> on CA:
> openssl genrsa -out our.key 2048
>
> creating self-signed serificate:
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt
It does not cause an error, but omit -text.
> copied root.crt to client and postgres server
>
> on server:
> openssl genrsa -out server.key 2048
You forgot here:
openssl req -new -key server.key -out /tmp/server.req
> on CA:
> openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out server.crt
>
> on client:
> openssl genrsa -out postgresql.key 2048
> openssl req -new -key postgresql.key -out cl.req
>
> on CA:
> openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out postgresql.crt
>
> files on client host:
> postgresql.crt (signed by CA, -- root.crt)
> postgresql.key (client private and public keys)
Did you make sure that postgresql.key has permissions 0600?
> root.crt
>
> files on postgresql server:
> server.key (priv and pub keys)
Did you make sure that server.key has permissions 0600?
> server.crt (signed by root CA)
> root.crt
>
> stopped postgresql and started again
>
> on client:
>
> psql "dbname=me sslmode=require host=postgresql_host user=me"
> psql: SSL error: sslv3 alert bad certificate
That means, I guess, that the client does not like its certificate files.
Check that they are ok, with something like
openssl x509 -noout -dates -issuer -subject -in root.crt
or
openssl x509 -noout -text -in root.crt
Same for root.crt.
Yours,
Laurenz Albe