Re: SSL root.crt not loading
| От | Grzegorz Szpetkowski |
|---|---|
| Тема | Re: SSL root.crt not loading |
| Дата | |
| Msg-id | BANLkTik+nkffwjq4q8X1GYJ+bV2ZcSaFxw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: SSL root.crt not loading (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-novice |
I think that ssl mode is enabled by default in Ubuntu package and there are snakeoil certs provided in data directory (var/lib/postgresql/9.0/main): lrwxrwxrwx 1 root root 36 2011-04-25 16:34 server.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem lrwxrwxrwx 1 root root 38 2011-04-25 16:34 server.key -> /etc/ssl/private/ssl-cert-snakeoil.key Since there is no root.crt in data directory postmaster fails to start. I think that PostgreSQL can't "see" certs in config directory (/etc/postgresql/9.0/main) In Ubuntu package there is config directory and data directory, so I think that OP should put certs to data dir, not config dir: Regards, Greg Szpetkowski 2011/4/25 Tom Lane <tgl@sss.pgh.pa.us>: > =?ISO-8859-1?Q?Marc-Andr=E9_Laverdi=E8re?= <marc-andre@atc.tcs.com> writes: >>> My pg_hba.conf file is configured with this: >>> hostssl all abc ::1/128 cert clientcert=1 > >>> Yet I am unable to start the server. This is what I get on startup: > >>> $ sudo /etc/init.d/postgresql start 9.0 >>> * Starting PostgreSQL 9.0 database server >>> * The PostgreSQL server failed to start. Please check the log output: >>> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked >>> if a root certificate store is available >>> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present >>> and readable. >>> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file >>> "/etc/postgresql/9.0/main/pg_hba.conf" >>> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf > > Hmm, did you remember to set ssl = on in postgresql.conf? While > experimenting I accidentally found out it will react like this if > it finds clientcert=1 in pg_hba.conf but SSL wasn't enabled in > postgresql.conf. Needless to say, that's not a very friendly error > response --- will see about improving it. > > regards, tom lane > > -- > Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-novice >
В списке pgsql-novice по дате отправления: