SSL auth problem
Vitaliyi
I'm trying to setup SSL auth.
creating CA:
openssl genrsa -out our.key 2048
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt
then I copy root.crt on postgresql host and to client host in ~/.postgresql
generating another key on server:
openssl genrsa -out server.key 2048
then request for signing to CA:
openssl req -new -key server.key -out server.req
signing on CA:
openssl req -x509 -in server.req -text -key our.key -out server.crt
now in postgresql data dir following files:
server.crt
server.key
root.crt
and blank root.crl
on client host:
cd ~/.postgresql
openssl genrsa -out postgresql.key 2048
then signing with our.key on CA and placing postgresql.crt, root.crt
to ~/.postgresql
This is my picture of what is happening:
1. we using our CA public key to generate root.crt:
root_signature = ca_pub_key**ca_priv_key % n
2. on postgres server creating key-pair and signing public key on CA, receiving
server_signature (server.crt):
server_signature = server_pub_key**root_priv_key % n
Client using server_signature before encrypting and sending message to server:
server_pub_key = server_signature**root_pub_key % n
if server_pub_key is valid then user encrypting message with server_pub_key.
3. Client generating his own key-pair and asking our CA to sign his public key.
client_signature = client_pub_key**ca_priv_key % n
client_signature he writing to postgresql.crt, which server using when
sending something
to client:
client_pub_key = client_signature**root_pub_key % n
If everything is correct, than why psql complaining:
psql "dbname=me sslmode=require host=postgres_server user=me"
psql: SSL error: certificate verify failed
log on postgres_server:
postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1
alert unknown ca
P.S. postgres-8.2 on freebsd
postgresql-client-8.2 on debian
--
Sent via pgsql-general mailing list (pgsql-...@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Albe Laurenz
Vitaliyi wrote:
> > - Did you put the same thing in root.crt on both client and server?
>
> yes
>
> > - Does root.crt contain a self signed certificate?
>
> yes
>
> > - Does root.crt contain the certificate that was used to
> sign server.crt and postgresql.crt?
>
> yes
>
> > - Are there any SSL messages in the server log file
> immediately after server startup?
>
>
> LOG: SSL certificate revocation list file "root.crl" not found,
> skipping: no SSL error reported
> DETAIL: Certificates will not be checked against revocation list.
>
> don't know where it looking for "root.crl", but it is in directory
> with root.crt and server.key, server.crt
That should be harmless...
Let me reexamine your original mail:
> generating another key on server:
[...]
> signing on CA:
> openssl req -x509 -in server.req -text -key our.key -out server.crt
That's the problem, I think.
With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").
What you need is a certificate signed by root.crt.
You can do it like this:
openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt
See if that gets rid of the message!
Yours,
Laurenz Albe
Vitaliyi
>> with root.crt and server.key, server.crt
>
> That should be harmless...
removed root.crl. the same effect
> Let me reexamine your original mail:
>
>> generating another key on server:
> [...]
>> signing on CA:
>> openssl req -x509 -in server.req -text -key our.key -out server.crt
>
> That's the problem, I think.
> With this statement you generate a self signed certificate from server.req
> (check with "openssl x509 -in server.crt -text -noout").
>
> What you need is a certificate signed by root.crt.
>
> You can do it like this:
>
> openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt
>
> See if that gets rid of the message!
another error appeared:
psql: SSL error: sslv3 alert bad certificate
so I started from beginning:
on CA:
openssl genrsa -out our.key 2048
creating self-signed serificate:
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt
copied root.crt to client and postgres server
on server:
openssl genrsa -out server.key 2048
on CA:
openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out server.crt
on client:
openssl genrsa -out postgresql.key 2048
openssl req -new -key postgresql.key -out cl.req
on CA:
openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out postgresql.crt
files on client host:
postgresql.crt (signed by CA, -- root.crt)
postgresql.key (client private and public keys)
root.crt
files on postgresql server:
server.key (priv and pub keys)
server.crt (signed by root CA)
root.crt
stopped postgresql and started again
on client:
psql "dbname=me sslmode=require host=postgresql_host user=me"
psql: SSL error: sslv3 alert bad certificate
on server in logs:
postgres[29299]: [3-1] LOG: could not accept SSL connection: no
certificate returned
where I was wrong? : (
Albe Laurenz
> another error appeared:
>
> psql: SSL error: sslv3 alert bad certificate
>
> so I started from beginning:
> on CA:
> openssl genrsa -out our.key 2048
>
> creating self-signed serificate:
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt
It does not cause an error, but omit -text.
> copied root.crt to client and postgres server
>
> on server:
> openssl genrsa -out server.key 2048
You forgot here:
openssl req -new -key server.key -out /tmp/server.req
> on CA:
> openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out server.crt
>
> on client:
> openssl genrsa -out postgresql.key 2048
> openssl req -new -key postgresql.key -out cl.req
>
> on CA:
> openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
> -CAcreateserial -out postgresql.crt
>
> files on client host:
> postgresql.crt (signed by CA, -- root.crt)
> postgresql.key (client private and public keys)
Did you make sure that postgresql.key has permissions 0600?
> root.crt
>
> files on postgresql server:
> server.key (priv and pub keys)
Did you make sure that server.key has permissions 0600?
> server.crt (signed by root CA)
> root.crt
>
> stopped postgresql and started again
>
> on client:
>
> psql "dbname=me sslmode=require host=postgresql_host user=me"
> psql: SSL error: sslv3 alert bad certificate
That means, I guess, that the client does not like its certificate files.
Check that they are ok, with something like
openssl x509 -noout -dates -issuer -subject -in root.crt
or
openssl x509 -noout -text -in root.crt
Same for root.crt.
Yours,
Laurenz Albe
Vitaliyi
done
> Did you make sure that postgresql.key has permissions 0600?
of course. otherwise it shows warning
>> files on postgresql server:
>> server.key (priv and pub keys)
>
> Did you make sure that server.key has permissions 0600?
yes
>> psql: SSL error: sslv3 alert bad certificate
>
> That means, I guess, that the client does not like its certificate files.
>
> Check that they are ok, with something like
>
> openssl x509 -noout -dates -issuer -subject -in root.crt
> or
> openssl x509 -noout -text -in root.crt
>
> Same for root.crt.
%openssl x509 -noout -dates -issuer -subject -in postgresql.crt
notBefore=May 16 13:55:49 2008 GMT
notAfter=Jun 15 13:55:49 2008 GMT
issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=sup...@0x2a-dc.com
subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty
Ltd/CN=localhost/emailAddress=img...@gmail.com
%openssl x509 -noout -dates -issuer -subject -in root.crt
notBefore=May 16 13:49:57 2008 GMT
notAfter=Jun 15 13:49:57 2008 GMT
issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=sup...@0x2a-dc.com
subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=sup...@0x2a-dc.com
btw, the same:
psql: SSL error: sslv3 alert bad certificate
postgres[29563]: [3-1] LOG: could not accept SSL connection: no
certificate returned
--