Обсуждение: SSL auth problem
Good Day I'm trying to setup SSL auth. creating CA: openssl genrsa -out our.key 2048 openssl req -new -key our.key -out our.req openssl req -x509 -in our.req -text -key our.key -out root.crt then I copy root.crt on postgresql host and to client host in ~/.postgresql generating another key on server: openssl genrsa -out server.key 2048 then request for signing to CA: openssl req -new -key server.key -out server.req signing on CA: openssl req -x509 -in server.req -text -key our.key -out server.crt now in postgresql data dir following files: server.crt server.key root.crt and blank root.crl on client host: cd ~/.postgresql openssl genrsa -out postgresql.key 2048 then signing with our.key on CA and placing postgresql.crt, root.crt to ~/.postgresql This is my picture of what is happening: 1. we using our CA public key to generate root.crt: root_signature = ca_pub_key**ca_priv_key % n 2. on postgres server creating key-pair and signing public key on CA, receiving server_signature (server.crt): server_signature = server_pub_key**root_priv_key % n Client using server_signature before encrypting and sending message to server: server_pub_key = server_signature**root_pub_key % n if server_pub_key is valid then user encrypting message with server_pub_key. 3. Client generating his own key-pair and asking our CA to sign his public key. client_signature = client_pub_key**ca_priv_key % n client_signature he writing to postgresql.crt, which server using when sending something to client: client_pub_key = client_signature**root_pub_key % n If everything is correct, than why psql complaining: psql "dbname=me sslmode=require host=postgres_server user=me" psql: SSL error: certificate verify failed log on postgres_server: postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1 alert unknown ca P.S. postgres-8.2 on freebsd postgresql-client-8.2 on debian
Vitaliyi wrote: > I'm trying to setup SSL auth. > > creating CA: > > openssl genrsa -out our.key 2048 > openssl req -new -key our.key -out our.req > openssl req -x509 -in our.req -text -key our.key -out root.crt > > then I copy root.crt on postgresql host and to client host in > ~/.postgresql > > generating another key on server: > > openssl genrsa -out server.key 2048 > then request for signing to CA: > openssl req -new -key server.key -out server.req > > signing on CA: > > openssl req -x509 -in server.req -text -key our.key -out server.crt > > now in postgresql data dir following files: > > server.crt > server.key > root.crt > and blank root.crl > > on client host: > > cd ~/.postgresql > openssl genrsa -out postgresql.key 2048 > then signing with our.key on CA and placing postgresql.crt, root.crt > to ~/.postgresql > > > This is my picture of what is happening: > > 1. we using our CA public key to generate root.crt: > > root_signature = ca_pub_key**ca_priv_key % n > > 2. on postgres server creating key-pair and signing public key on CA, receiving > server_signature (server.crt): > > server_signature = server_pub_key**root_priv_key % n > > Client using server_signature before encrypting and sending message to server: > > server_pub_key = server_signature**root_pub_key % n > > if server_pub_key is valid then user encrypting message with server_pub_key. > > > 3. Client generating his own key-pair and asking our CA to > sign his public key. > > client_signature = client_pub_key**ca_priv_key % n > > client_signature he writing to postgresql.crt, which server using when sending something > to client: > > client_pub_key = client_signature**root_pub_key % n > > > If everything is correct, than why psql complaining: > > psql "dbname=me sslmode=require host=postgres_server user=me" > psql: SSL error: certificate verify failed > > log on postgres_server: > > postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1 > alert unknown ca I could not follow completely, so let me ask: - Did you put the same thing in root.crt on both client and server? - Does root.crt contain a self signed certificate? - Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt? - Are there any SSL messages in the server log file immediately after server startup? Yours, Laurenz Albe
Please, always CC: the list in your replies! Vitaliyi wrote: > > - Did you put the same thing in root.crt on both client and server? > > yes > > > - Does root.crt contain a self signed certificate? > > yes > > > - Does root.crt contain the certificate that was used to > sign server.crt and postgresql.crt? > > yes > > > - Are there any SSL messages in the server log file > immediately after server startup? > > > LOG: SSL certificate revocation list file "root.crl" not found, > skipping: no SSL error reported > DETAIL: Certificates will not be checked against revocation list. > > don't know where it looking for "root.crl", but it is in directory > with root.crt and server.key, server.crt That should be harmless... Let me reexamine your original mail: > generating another key on server: [...] > signing on CA: > openssl req -x509 -in server.req -text -key our.key -out server.crt That's the problem, I think. With this statement you generate a self signed certificate from server.req (check with "openssl x509 -in server.crt -text -noout"). What you need is a certificate signed by root.crt. You can do it like this: openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt See if that gets rid of the message! Yours, Laurenz Albe
>> don't know where it looking for "root.crl", but it is in directory >> with root.crt and server.key, server.crt > > That should be harmless... removed root.crl. the same effect > Let me reexamine your original mail: > >> generating another key on server: > [...] >> signing on CA: >> openssl req -x509 -in server.req -text -key our.key -out server.crt > > That's the problem, I think. > With this statement you generate a self signed certificate from server.req > (check with "openssl x509 -in server.crt -text -noout"). > > What you need is a certificate signed by root.crt. > > You can do it like this: > > openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt > > See if that gets rid of the message! another error appeared: psql: SSL error: sslv3 alert bad certificate so I started from beginning: on CA: openssl genrsa -out our.key 2048 creating self-signed serificate: openssl req -new -key our.key -out our.req openssl req -x509 -in our.req -text -key our.key -out root.crt copied root.crt to client and postgres server on server: openssl genrsa -out server.key 2048 on CA: openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key -CAcreateserial -out server.crt on client: openssl genrsa -out postgresql.key 2048 openssl req -new -key postgresql.key -out cl.req on CA: openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key -CAcreateserial -out postgresql.crt files on client host: postgresql.crt (signed by CA, -- root.crt) postgresql.key (client private and public keys) root.crt files on postgresql server: server.key (priv and pub keys) server.crt (signed by root CA) root.crt stopped postgresql and started again on client: psql "dbname=me sslmode=require host=postgresql_host user=me" psql: SSL error: sslv3 alert bad certificate on server in logs: postgres[29299]: [3-1] LOG: could not accept SSL connection: no certificate returned where I was wrong? : (
Vitaliyi wrote: > another error appeared: > > psql: SSL error: sslv3 alert bad certificate > > so I started from beginning: > on CA: > openssl genrsa -out our.key 2048 > > creating self-signed serificate: > openssl req -new -key our.key -out our.req > openssl req -x509 -in our.req -text -key our.key -out root.crt It does not cause an error, but omit -text. > copied root.crt to client and postgres server > > on server: > openssl genrsa -out server.key 2048 You forgot here: openssl req -new -key server.key -out /tmp/server.req > on CA: > openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key > -CAcreateserial -out server.crt > > on client: > openssl genrsa -out postgresql.key 2048 > openssl req -new -key postgresql.key -out cl.req > > on CA: > openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key > -CAcreateserial -out postgresql.crt > > files on client host: > postgresql.crt (signed by CA, -- root.crt) > postgresql.key (client private and public keys) Did you make sure that postgresql.key has permissions 0600? > root.crt > > files on postgresql server: > server.key (priv and pub keys) Did you make sure that server.key has permissions 0600? > server.crt (signed by root CA) > root.crt > > stopped postgresql and started again > > on client: > > psql "dbname=me sslmode=require host=postgresql_host user=me" > psql: SSL error: sslv3 alert bad certificate That means, I guess, that the client does not like its certificate files. Check that they are ok, with something like openssl x509 -noout -dates -issuer -subject -in root.crt or openssl x509 -noout -text -in root.crt Same for root.crt. Yours, Laurenz Albe
> It does not cause an error, but omit -text. done > Did you make sure that postgresql.key has permissions 0600? of course. otherwise it shows warning >> files on postgresql server: >> server.key (priv and pub keys) > > Did you make sure that server.key has permissions 0600? yes >> psql: SSL error: sslv3 alert bad certificate > > That means, I guess, that the client does not like its certificate files. > > Check that they are ok, with something like > > openssl x509 -noout -dates -issuer -subject -in root.crt > or > openssl x509 -noout -text -in root.crt > > Same for root.crt. %openssl x509 -noout -dates -issuer -subject -in postgresql.crt notBefore=May 16 13:55:49 2008 GMT notAfter=Jun 15 13:55:49 2008 GMT issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty Ltd/CN=localhost/emailAddress=imgrey@gmail.com %openssl x509 -noout -dates -issuer -subject -in root.crt notBefore=May 16 13:49:57 2008 GMT notAfter=Jun 15 13:49:57 2008 GMT issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com btw, the same: psql: SSL error: sslv3 alert bad certificate postgres[29563]: [3-1] LOG: could not accept SSL connection: no certificate returned
Vitaliyi wrote: > %openssl x509 -noout -dates -issuer -subject -in postgresql.crt > > notBefore=May 16 13:55:49 2008 GMT > notAfter=Jun 15 13:55:49 2008 GMT > issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com > subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty > Ltd/CN=localhost/emailAddress=imgrey@gmail.com > > %openssl x509 -noout -dates -issuer -subject -in root.crt > notBefore=May 16 13:49:57 2008 GMT > notAfter=Jun 15 13:49:57 2008 GMT > issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com > subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com > > > btw, the same: > > psql: SSL error: sslv3 alert bad certificate > > > postgres[29563]: [3-1] LOG: could not accept SSL connection: no > certificate returned Could you also check the key files with openssl rsa -in postgresql.key and openssl rsa -in server.key and server.crt as you did above? If they are all ok, I don't know what could be causing the error. All that is obvious from the error message is that the client side complains that a certificate is not ok (don't know if client, server or CA certificate). One last straw: is it between May 16 and June 15 on both machines involved? Yours, Laurenz Albe