Re: SSL root.crt not loading

You need to change permissions to get your postmaster working.

"To start in SSL mode, the files server.crt and server.key must exist
in the server's data directory. These files should contain the server
certificate and private key, respectively. On Unix systems, the
permissions on server.key must disallow any access to world or group;
achieve this by the command chmod 0600 server.key. If the private key
is protected with a passphrase, the server will prompt for the
passphrase and will not start until it has been entered."

2011/4/25 Marc-André Laverdière <marc-andre(at)atc(dot)tcs(dot)com>:
> Anyone???
>
> Marc-André Laverdičre
> Software Security Scientist
> Innovation Labs, Tata Consultancy Services
> Hyderabad, India
>
> On Monday 28 March 2011 10:23 AM, Marc-André Laverdičre wrote:
>> Hello everyone,
>>
>> I'm a postgres n00b and I'm trying to configure my installation to work
>> with certificate authentication.
>>
>> It is not working for me, and it seems that the sysadmin community
>> doesn't have any hints for me either :(
>>
>> I am reposting my question on ServerFault in hopes that a psql guru will
>> read it (see
>> http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading)
>>
>> I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am
>> using OpenSSL 0.9.8o.
>>
>> I have generated keys and certificates using TinyCA2 for both a pg
>> server and the psql client. I essentially followed the instructions.
>>
>> My pg_hba.conf file is configured with this:
>> hostssl all    abc      ::1/128          cert        clientcert=1
>>
>> I have put the root certificate generated by TinyCA along with the
>> server's certificate and key in the DATA directory as follows.
>>
>> sudo unzip database_server.zip
>> sudo mv sudo mv cacert.pem root.crt
>> sudo mv cert.pem server.crt
>> sudo openssl rsa -in key.pem -out server.key
>> sudo chmod 0600 server.key
>> sudo chmod ga=r root.crt
>> sudo chown postgres:postgres root.crt server.key server.crt
>>
>> Yet I am unable to start the server. This is what I get on startup:
>>
>> $ sudo /etc/init.d/postgresql start 9.0
>> * Starting PostgreSQL 9.0 database server
>> * The PostgreSQL server failed to start. Please check the log output:
>>   2011-03-17 16:39:13 IST LOG:  client certificates can only be checked
>> if a root certificate store is available
>>   2011-03-17 16:39:13 IST HINT:  Make sure the root.crt file is present
>> and readable.
>>   2011-03-17 16:39:13 IST CONTEXT:  line 93 of configuration file
>> "/etc/postgresql/9.0/main/pg_hba.conf"
>>   2011-03-17 16:39:13 IST FATAL:  could not load pg_hba.conf
>>
>> Interestingly, the root.crt file is very much present and readable:
>>
>> $ ll
>> <snip>
>> -rw-r--r-- 1 postgres postgres  143 2010-12-01 17:06 pg_ctl.conf
>> -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf
>> -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf
>> -rw-r--r-- 1 postgres postgres  18K 2011-02-07 18:38 postgresql.conf
>> -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt
>> -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt
>> -rw------- 1 postgres postgres  891 2011-03-17 16:18 server.key
>> -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted
>>
>> What is going on? What do I have to do for this certificate to load???
>>
>
> --
> Sent via pgsql-novice mailing list (pgsql-novice(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-novice
>