Re: ssl database connection problems...

From: Carol Walter <walterc(at)indiana(dot)edu>
To:
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: ssl database connection problems...
Date: 2008-12-31 14:19:12
Message-ID: 7231B567-C7EE-4897-B209-1C1E17CEC83F@indiana.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin


On Dec 30, 2008, at 8:42 PM, Ray Stell wrote:

> On Tue, Dec 30, 2008 at 03:53:37PM -0500, Carol Walter wrote:
>>
>> OpenSSL is telling me that ssl is
>> not properly configured.
>
> how so?
>
Here's the output from s_client & s_server commands...

# openssl s_client
connect: Connection refused
connect:errno=146
# openssl s_server
Using default temp DH parameters
unable to get certificate from 'server.pem'
23374:error:02001002:system library:fopen:No such file or directory:/
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:
104:fopen('server.pem','r')
23374:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/
build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
23374:error:02001002:system library:fopen:No such file or directory:/
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:
276:fopen('server.pem','r')
23374:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/
G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
23374:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:../../../../common/openssl/ssl/ssl_rsa.c:515:

>>> openssl verify -CAfile ./root.crt testcert.pem
>
I don't have a root.crt file. According to the postgres 8.3.5
documentation, the postgres should run without it. I'm not sure what
root.crt should contain at this point, and how it should be formatted.
"If the root.crt file is not present, client certificates will not
be requested or checked. In this mode, SSL provides encrypted
communication but not authentication."

# openssl verify -CAfile ./root.crt testcert.pem
Error loading file ./root.crt
27073:error:02001002:system library:fopen:No such file or directory:/
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:
104:fopen('./root.crt','r')
27073:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/
build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
27073:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:/on10/build-nd/G10U2B2/usr/
src/common/openssl/crypto/x509/by_file.c:274:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose
purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper

> can you verify the server crt against the CA?
>
> That is the starting place.
Here's the output I got from the command openssl ca...

# openssl ca
Using configuration from /etc/sfw/openssl/openssl.cnf
Error opening CA private key /etc/sfw/openssl/private/cakey.pem
28124:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/conf/
conf_lib.c:329:group=CA_default name=unique_subject
28124:error:02001002:system library:fopen:No such file or directory:/
on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:
276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
28124:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/
G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
unable to load CA private key

I have yet to find the command I ran yesterday that explicitly stated
that there was an error in configuration.

Best Regards,
Carol

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Ray Stell 2008-12-31 15:09:20 Re: ssl database connection problems...
Previous Message Guillaume Lelarge 2008-12-31 13:05:35 Re: Getting the value of a config parameter in runtime