Обсуждение: Bug: certificate expired
Hello, I have been using PgAdmin III with SSL for a couple of months. I set up certificates for both the server and the client,valid until March 2009. Everything worked fine. Now the bad news: PgAdmin refuses to connect since yesterday, with this error message: Error connecting to the server: SSL error: sslv3 alert certificate expired This is obviously a nonsense, as both certificates are valid and system clocks on both computers show correct date and time.I even restarted the PostgreSQL server, which did not help. Using PostgreSQL 8.3.3, compiled --with-openssl. Best regards, Andrej Podzimek
> Hello, > > I have been using PgAdmin III with SSL for a couple of months. I set up > certificates for both the server and the client, valid until March 2009. > Everything worked fine. > > Now the bad news: PgAdmin refuses to connect since yesterday, with this > error message: > > Error connecting to the server: SSL error: sslv3 alert certificate > expired > > This is obviously a nonsense, as both certificates are valid and system > clocks on both computers show correct date and time. I even restarted > the PostgreSQL server, which did not help. > > Using PostgreSQL 8.3.3, compiled --with-openssl. > > Best regards, > > Andrej Podzimek Sorry for answeing my own message, but the bug is still there... This is a real showstopper. What could be wrong? Andrej
On Tue, Oct 7, 2008 at 11:31 PM, Andrej Podzimek <andrej@podzimek.org> wrote: >> Hello, >> >> I have been using PgAdmin III with SSL for a couple of months. I set up >> certificates for both the server and the client, valid until March 2009. >> Everything worked fine. >> >> Now the bad news: PgAdmin refuses to connect since yesterday, with this >> error message: >> >> Error connecting to the server: SSL error: sslv3 alert certificate >> expired >> >> This is obviously a nonsense, as both certificates are valid and system >> clocks on both computers show correct date and time. I even restarted the >> PostgreSQL server, which did not help. >> >> Using PostgreSQL 8.3.3, compiled --with-openssl. >> >> Best regards, >> >> Andrej Podzimek > > Sorry for answeing my own message, but the bug is still there... This is a > real showstopper. What could be wrong? The message comes from OpenSSL/libpq - pgAdmin just displays it for you. I have no idea why OpenSSL would think your certificate had expired unless it had. Could it be the the issuing CA certificate has expired? -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com
On Wed, Oct 8, 2008 at 3:12 PM, Andrej Podzimek <andrej@podzimek.org> wrote: > This seems inexplicable to me: Certificate and key files still in place, > computer clocks OK and it just stopped working. Should I try an older > version of OpenSSL? I'm not exactly an expert with OpenSSL, so I'm not sure what's worth trying version-wise. > All other programs based on OpenSSL work just fine. Is it possible to get > more log messages somehow? The client says certificate has expired. The > server says that the client did not provide any certificate. The client > certificate is valid untill 2009 and so is the server certificate. > > I tried to log in from a remote computer, then from the LAN and locally. The > same nonsense was „reported" each time. Do you get the same if you use psql? -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com
>>> Hello, >>> >>> I have been using PgAdmin III with SSL for a couple of months. I set up >>> certificates for both the server and the client, valid until March 2009. >>> Everything worked fine. >>> >>> Now the bad news: PgAdmin refuses to connect since yesterday, with this >>> error message: >>> >>> Error connecting to the server: SSL error: sslv3 alert certificate >>> expired >>> >>> This is obviously a nonsense, as both certificates are valid and system >>> clocks on both computers show correct date and time. I even restarted the >>> PostgreSQL server, which did not help. >>> >>> Using PostgreSQL 8.3.3, compiled --with-openssl. >>> >>> Best regards, >>> >>> Andrej Podzimek >> Sorry for answeing my own message, but the bug is still there... This is a >> real showstopper. What could be wrong? > > The message comes from OpenSSL/libpq - pgAdmin just displays it for > you. I have no idea why OpenSSL would think your certificate had > expired unless it had. Could it be the the issuing CA certificate has > expired? No, that's my home-made CA, with a certificate valid until 2011... In fact, the whole story is a little bit more complicated: 1) I enabled OpenSSL for psql and pgAdmin in June 2008. 2) It stopped working (for the first time) at the end of August, with the stupid error message (expired certificate). 3) Adding the CA certificate and CRL on the *client* side fixed this, amazingly. 4) Then it worked for about one month, till the beginning of October. 5) Stopped working again about two days ago. The same error message This seems inexplicable to me: Certificate and key files still in place, computer clocks OK and it just stopped working.Should I try an older version of OpenSSL? All other programs based on OpenSSL work just fine. Is it possible to get more log messages somehow? The client says certificatehas expired. The server says that the client did not provide any certificate. The client certificate is validuntill 2009 and so is the server certificate. I tried to log in from a remote computer, then from the LAN and locally. The same nonsense was „reported“ each time. Andrej
On Wed, Oct 8, 2008 at 3:24 PM, Andrej Podzimek <andrej@podzimek.org> wrote: >> Do you get the same if you use psql? > > Yes, both pgAdmin and psql behave the same way. There is just one > difference: psql prefers IPv6, whereas pgAdmin insists on IPv4. However, > none of them can establish the SSL connection. Much as it may sound like I'm passing the buck then, I'd suggest asking on the PostgreSQL lists then. pgAdmin uses libpq/OpenSSL to connect, as does psql, so this is obviously not a pgAdmin issue. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com
> I'm not exactly an expert with OpenSSL, so I'm not sure what's worth > trying version-wise. OpenSSL is the only thing that may have been updated since August. PostgreSQL and its tools remained unchanged. However,rebooting (or even recompiling) the server is the last thing I would like to do. But if it was inevitable, I wouldprobably give it a try... > Do you get the same if you use psql? Yes, both pgAdmin and psql behave the same way. There is just one difference: psql prefers IPv6, whereas pgAdmin insistson IPv4. However, none of them can establish the SSL connection. Andrej