Skip site navigation (1) Skip section navigation (2)

Re: ssl database connection problems...

From: Carol Walter <walterc(at)indiana(dot)edu>
To:
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: ssl database connection problems...
Date: 2008-12-31 14:19:12
Message-ID: 7231B567-C7EE-4897-B209-1C1E17CEC83F@indiana.edu (view raw or flat)
Thread:
Lists: pgsql-admin
On Dec 30, 2008, at 8:42 PM, Ray Stell wrote:

> On Tue, Dec 30, 2008 at 03:53:37PM -0500, Carol Walter wrote:
>>
>> OpenSSL is telling me that ssl is
>> not properly configured.
>
> how so?
>
Here's the output from s_client & s_server commands...

# openssl s_client
connect: Connection refused
connect:errno=146
# openssl s_server
Using default temp DH parameters
unable to get certificate from 'server.pem'
23374:error:02001002:system library:fopen:No such file or directory:/ 
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c: 
104:fopen('server.pem','r')
23374:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/ 
build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
23374:error:02001002:system library:fopen:No such file or directory:/ 
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c: 
276:fopen('server.pem','r')
23374:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/ 
G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
23374:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system  
lib:../../../../common/openssl/ssl/ssl_rsa.c:515:

>>> openssl  verify -CAfile ./root.crt testcert.pem
>
I don't have a root.crt file.  According to the postgres 8.3.5  
documentation, the postgres should run without it.  I'm not sure what  
root.crt should contain at this point, and how it should be formatted.
  "If the root.crt file is not present, client certificates will not  
be requested or checked. In this mode, SSL provides encrypted  
communication but not authentication."

# openssl  verify -CAfile ./root.crt testcert.pem
Error loading file ./root.crt
27073:error:02001002:system library:fopen:No such file or directory:/ 
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c: 
104:fopen('./root.crt','r')
27073:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/ 
build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
27073:error:0B084002:x509 certificate  
routines:X509_load_cert_crl_file:system lib:/on10/build-nd/G10U2B2/usr/ 
src/common/openssl/crypto/x509/by_file.c:274:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose  
purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
         sslclient       SSL client
         sslserver       SSL server
         nssslserver     Netscape SSL server
         smimesign       S/MIME signing
         smimeencrypt    S/MIME encryption
         crlsign         CRL signing
         any             Any Purpose
         ocsphelper      OCSP helper


> can you verify the server crt against the CA?
>
> That is the starting place.
Here's the output I got from the command openssl ca...

# openssl ca
Using configuration from /etc/sfw/openssl/openssl.cnf
Error opening CA private key /etc/sfw/openssl/private/cakey.pem
28124:error:0E06D06C:configuration file routines:NCONF_get_string:no  
value:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/conf/ 
conf_lib.c:329:group=CA_default name=unique_subject
28124:error:02001002:system library:fopen:No such file or directory:/ 
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c: 
276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
28124:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/ 
G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
unable to load CA private key

I have yet to find the command I ran yesterday that explicitly stated  
that there was an error in configuration.

Best Regards,
Carol

In response to

Responses

pgsql-admin by date

Next:From: Ray StellDate: 2008-12-31 15:09:20
Subject: Re: ssl database connection problems...
Previous:From: Guillaume LelargeDate: 2008-12-31 13:05:35
Subject: Re: Getting the value of a config parameter in runtime

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group