Skip site navigation (1) Skip section navigation (2)

Re: SSL root.crt not loading

From: Marc-André Laverdière <marc-andre(at)atc(dot)tcs(dot)com>
To: pgsql-novice(at)postgresql(dot)org
Subject: Re: SSL root.crt not loading
Date: 2011-04-25 13:36:31
Message-ID: 4DB578DF.5060707@atc.tcs.com (view raw or flat)
Thread:
Lists: pgsql-novice
Anyone???

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

On Monday 28 March 2011 10:23 AM, Marc-André Laverdière wrote:
> Hello everyone,
> 
> I'm a postgres n00b and I'm trying to configure my installation to work
> with certificate authentication.
> 
> It is not working for me, and it seems that the sysadmin community
> doesn't have any hints for me either :(
> 
> I am reposting my question on ServerFault in hopes that a psql guru will
> read it (see
> http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading)
> 
> I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am
> using OpenSSL 0.9.8o.
> 
> I have generated keys and certificates using TinyCA2 for both a pg
> server and the psql client. I essentially followed the instructions.
> 
> My pg_hba.conf file is configured with this:
> hostssl all    abc      ::1/128          cert        clientcert=1
> 
> I have put the root certificate generated by TinyCA along with the
> server's certificate and key in the DATA directory as follows.
> 
> sudo unzip database_server.zip
> sudo mv sudo mv cacert.pem root.crt
> sudo mv cert.pem server.crt
> sudo openssl rsa -in key.pem -out server.key
> sudo chmod 0600 server.key
> sudo chmod ga=r root.crt
> sudo chown postgres:postgres root.crt server.key server.crt
> 
> Yet I am unable to start the server. This is what I get on startup:
> 
> $ sudo /etc/init.d/postgresql start 9.0
> * Starting PostgreSQL 9.0 database server
> * The PostgreSQL server failed to start. Please check the log output:
>   2011-03-17 16:39:13 IST LOG:  client certificates can only be checked
> if a root certificate store is available
>   2011-03-17 16:39:13 IST HINT:  Make sure the root.crt file is present
> and readable.
>   2011-03-17 16:39:13 IST CONTEXT:  line 93 of configuration file
> "/etc/postgresql/9.0/main/pg_hba.conf"
>   2011-03-17 16:39:13 IST FATAL:  could not load pg_hba.conf
> 
> Interestingly, the root.crt file is very much present and readable:
> 
> $ ll
> <snip>
> -rw-r--r-- 1 postgres postgres  143 2010-12-01 17:06 pg_ctl.conf
> -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf
> -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf
> -rw-r--r-- 1 postgres postgres  18K 2011-02-07 18:38 postgresql.conf
> -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt
> -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt
> -rw------- 1 postgres postgres  891 2011-03-17 16:18 server.key
> -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted
> 
> What is going on? What do I have to do for this certificate to load???
> 

In response to

Responses

pgsql-novice by date

Next:From: Grzegorz SzpetkowskiDate: 2011-04-25 14:37:03
Subject: Re: SSL root.crt not loading
Previous:From: Thomas KellererDate: 2011-04-24 21:29:39
Subject: Re: insert retrieved data into a new table

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group