Can't get SSL to work for Postgresql
398 views
Skip to first unread message
Taylor Grayson
Dec 4, 2019, 5:08:07 PM12/4/19
to Google Cloud SQL discuss
I downloaded the server & client certificates, but they don't verify using openssl:
openssl verify -verbose -issuer_checks -CAfile /etc/database/certificates/server-ca.pem -purpose sslclient /etc/database/certificates/client-cert.pem
It fails with the message:
CN = Test, O = "Google, Inc", C = US
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/database/certificates/client-cert.pem: verification failed
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/database/certificates/client-cert.pem: verification failed
Also, when plugging in the file paths into DbVisualizer, I get this error:
Long Message:
FATAL: connection requires a valid client certificate
Details:
Type: org.postgresql.util.PSQLException
SQL State: 28000
FATAL: connection requires a valid client certificate
Details:
Type: org.postgresql.util.PSQLException
SQL State: 28000
My understanding is that the issuer of the client should match the subject of the server, but using the following commands suggest that they don't:
openssl x509 -in /etc/database/certificates//client-cert.pem -noout -issuer
openssl x509 -noout -subject -in /etc/database/certificates/server-ca.pem
openssl x509 -noout -subject -in /etc/database/certificates/server-ca.pem
issuer=dnQualifier = 319a6a2b-0750-41d3-9b05-16cdf8b121cf, CN = Google Cloud SQL Client CA Test, O = "Google, Inc", C = US
subject=dnQualifier = 41ff6064-07be-43c1-9e00-94a9de7cc5c1, CN = Google Cloud SQL Server CA, O = "Google, Inc", C = US
subject=dnQualifier = 41ff6064-07be-43c1-9e00-94a9de7cc5c1, CN = Google Cloud SQL Server CA, O = "Google, Inc", C = US
Any suggestions on how to debug appreciated.
Elliott (Google Cloud Platform Support)
Dec 4, 2019, 6:42:32 PM12/4/19
to Google Cloud SQL discuss
Hello Taylor,
To provide you with the best answer, can you provide the documentation you used to download the server and client certificates? Are you using Cloud SQL or did you install database software on a Compute Virtual machine?
Taylor Grayson
Dec 4, 2019, 7:19:37 PM12/4/19
to Google Cloud SQL discuss
Thanks for your reply, Elliott. This group is for "Cloud SQL", so I didn't provide that information, but you are wise to ask. I am using Google Cloud SQL and downloaded all the certificates/keys from the "Connections" tab on the SQL dashboard.
Elliott (Google Cloud Platform Support)
Dec 5, 2019, 4:36:57 PM12/5/19
to Google Cloud SQL discuss
Hello Taylor,
Please note that Google Groups are reserved for general Google Cloud Platform and product discussions and not for reporting issues, which is why I suggest moving the troubleshooting to Issue Tracker, where issues can be turned private in case we need to gather any project specific details.
Reply all
Reply to author
Forward
0 new messages