Обсуждение: pgAdmin asks me the server's private key

 Hi,

I installed postgreSQL on my serveur with the SSL support enabled. I
have my own CA and I generated a cert for this service. When I use
pgAdmin III, it says :

"Error connecting to the server: certificate present, but not private
key file "C:\Users\<my user>\AppData\Roaming/postgresql/postgresql.key"

I don't understand why it wants the server private key ?! It's a big
security hole if I must give the private key. I miss something ?

Thank you for you help,
Sébastien Mauroy

Le 06/10/2010 22:51, Sébastien Mauroy a écrit :
> [...]
> I installed postgreSQL on my serveur with the SSL support enabled. I
> have my own CA and I generated a cert for this service. When I use
> pgAdmin III, it says :
> 
> "Error connecting to the server: certificate present, but not private
> key file "C:\Users\<my user>\AppData\Roaming/postgresql/postgresql.key"
> 
> I don't understand why it wants the server private key ?! It's a big
> security hole if I must give the private key. I miss something ?
> 

Well, I guess you do. Did you try to connect with psql? didn't it ask
for the same thing?


-- 
Guillaumehttp://www.postgresql.frhttp://dalibo.com

I think this is a postgres question about how it expects ssl to be configured ...<br />I found some source code for
Postgresthat has this message in it..<br /><br /><a
href="http://doxygen.postgresql.org/fe-secure_8c-source.html">http://doxygen.postgresql.org/fe-secure_8c-source.html</a><br
/><br/><div style="margin-left: 40px;">01010 if (have_cert && fnbuf[0] != '\0')<br />01011     {<br
/>01012        /* read the client key from file */<br />01013 <br />01014         if (stat(fnbuf, &buf) != 0)<br />
01015        {<br />01016             printfPQExpBuffer(&conn->errorMessage,<br
/>01017                              libpq_gettext("<b>certificate present, but not private key file</b> \"%s\"\n"),<br
/>01018                               fnbuf);<br />01019             return -1;<br />01020         }<br />01021 #ifndef
WIN32<br/>01022         if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))<br />01023         {<br />
01024            printfPQExpBuffer(&conn->errorMessage,<br />01025                              
libpq_gettext("privatekey file \"%s\" has group or world access; permissions should be u=rw (0600) or less\n"),<br />
01026                              fnbuf);<br />01027             return -1;<br />01028         }<br />01029 #endif<br
/>01030<br />01031         if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)<br />01032        
{<br/> 01033             char       *err = SSLerrmessage();<br />01034 <br />01035            
printfPQExpBuffer(&conn->errorMessage,<br/>01036                libpq_gettext("could not load private key file
\"%s\":%s\n"),<br /> 01037                               fnbuf, err);<br />01038             SSLerrfree(err);<br
/>01039            return -1;<br />01040         }<br />01041     }<br /><br /></div><br /><br /><div
class="gmail_quote">2010/10/6Guillaume Lelarge <span dir="ltr"><<a
href="mailto:guillaume@lelarge.info">guillaume@lelarge.info</a>></span><br/><blockquote class="gmail_quote"
style="margin:0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Le 06/10/2010 22:51,
SébastienMauroy a écrit :<br /> > [...]<br /> > I installed postgreSQL on my serveur with the SSL support
enabled.I<br /> > have my own CA and I generated a cert for this service. When I use<br /> > pgAdmin III, it says
:<br/> ><br /> > "Error connecting to the server: certificate present, but not private<br /> > key file
"C:\Users\<myuser>\AppData\Roaming/postgresql/postgresql.key"<br /> ><br /> > I don't understand why it
wantsthe server private key ?! It's a big<br /> > security hole if I must give the private key. I miss something
?<br/> ><br /><br /> Well, I guess you do. Did you try to connect with psql? didn't it ask<br /> for the same
thing?<br/><br /><br /> --<br /> Guillaume<br />  <a href="http://www.postgresql.fr"
target="_blank">http://www.postgresql.fr</a><br/>  <a href="http://dalibo.com" target="_blank">http://dalibo.com</a><br
/><fontcolor="#888888"><br /> --<br /> Sent via pgadmin-support mailing list (<a
href="mailto:pgadmin-support@postgresql.org">pgadmin-support@postgresql.org</a>)<br/> To make changes to your
subscription:<br/><a href="http://www.postgresql.org/mailpref/pgadmin-support"
target="_blank">http://www.postgresql.org/mailpref/pgadmin-support</a><br/></font></blockquote></div><br /> 

Le 07/10/2010 00:50, Sébastien Mauroy a écrit :
>  Thank you for you help !
> 
> Le 7/10/2010 00:15, Guillaume Lelarge a écrit :
>> Well, I guess you do. Did you try to connect with psql? didn't it ask
>> for the same thing?
> 
> I got the same message.
> 

So, the issue is with PostgreSQL, not pgAdmin.

> Le 7/10/2010 00:25, Michael Shapiro a écrit :
>> I think this is a postgres question about how it expects ssl to be
>> configured ...
>> I found some source code for Postgres that has this message in it..
> 
> I read the source "fe-secure.c" and it seems need the private key...but
> I can't understand why. My only change of the default "postgresql.conf"
> is the "ssl" option (to true).
> 

I never set up PostgreSQL to use SSL with certificate, so I can't
answer. The best you can do is read the manual
(http://www.postgresql.org/docs/9.0/interactive/ssl-tcp.html) and ask on
a PostgreSQL mailing list (pgsql-admin or pgsql-general).


-- 
Guillaumehttp://www.postgresql.frhttp://dalibo.com