Re: SSL auth problem

Vitaliyi wrote:
> another error appeared:
>
> psql: SSL error: sslv3 alert bad certificate
>
> so I started from beginning:
> on CA:
> openssl genrsa -out our.key 2048
>
> creating self-signed serificate:
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt

It does not cause an error, but omit -text.

> copied root.crt to client and postgres server
>
> on server:
> openssl genrsa -out server.key 2048

You forgot here:
openssl req -new -key server.key -out /tmp/server.req

> on CA:
> openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out server.crt
>
> on client:
> openssl genrsa -out postgresql.key 2048
> openssl req -new -key postgresql.key -out cl.req
>
> on CA:
> openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out postgresql.crt
>
> files on client host:
> postgresql.crt (signed by CA, -- root.crt)
> postgresql.key (client private and public keys)

Did you make sure that postgresql.key has permissions 0600?

> root.crt
>
> files on postgresql server:
> server.key (priv and pub keys)

Did you make sure that server.key has permissions 0600?

> server.crt (signed by root CA)
> root.crt
>
> stopped postgresql and started again
>
> on client:
>
> psql "dbname=me sslmode=require host=postgresql_host user=me"
> psql: SSL error: sslv3 alert bad certificate

That means, I guess, that the client does not like its certificate files.

Check that they are ok, with something like

openssl x509 -noout -dates -issuer -subject -in root.crt
or
openssl x509 -noout -text -in root.crt

Same for root.crt.

Yours,
Laurenz Albe