Re: SSL root.crt not loading
От | Grzegorz Szpetkowski |
---|---|
Тема | Re: SSL root.crt not loading |
Дата | |
Msg-id | BANLkTikL4a6Q0V5HOYpBvvSNyqJ40eG=hQ@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: SSL root.crt not loading (Grzegorz Szpetkowski <gszpetkowski@gmail.com>) |
Список | pgsql-novice |
Permissions are OK. I have working: -rw-r--r-- 1 postgres postgres 615 2011-04-25 16:23 root.crt -rw------- 1 postgres postgres 692 2011-04-25 17:20 server.crt -rw------- 1 postgres postgres 887 2011-04-25 17:17 server.key Try to put this files in data directory (/var/lib/postgres/9.0/{clustername}), not config directory (/etc/postgres/9.0/{clustername}). When cluster is created there is automatically provided snakeoil server.key and server.crt in data directory, but there is not root.crt provided. Propably you put your certs in config directory. 2011/4/25 Grzegorz Szpetkowski <gszpetkowski@gmail.com>: > You need to change permissions to get your postmaster working. > > "To start in SSL mode, the files server.crt and server.key must exist > in the server's data directory. These files should contain the server > certificate and private key, respectively. On Unix systems, the > permissions on server.key must disallow any access to world or group; > achieve this by the command chmod 0600 server.key. If the private key > is protected with a passphrase, the server will prompt for the > passphrase and will not start until it has been entered." > > 2011/4/25 Marc-André Laverdière <marc-andre@atc.tcs.com>: >> Anyone??? >> >> Marc-André Laverdičre >> Software Security Scientist >> Innovation Labs, Tata Consultancy Services >> Hyderabad, India >> >> On Monday 28 March 2011 10:23 AM, Marc-André Laverdičre wrote: >>> Hello everyone, >>> >>> I'm a postgres n00b and I'm trying to configure my installation to work >>> with certificate authentication. >>> >>> It is not working for me, and it seems that the sysadmin community >>> doesn't have any hints for me either :( >>> >>> I am reposting my question on ServerFault in hopes that a psql guru will >>> read it (see >>> http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading) >>> >>> I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am >>> using OpenSSL 0.9.8o. >>> >>> I have generated keys and certificates using TinyCA2 for both a pg >>> server and the psql client. I essentially followed the instructions. >>> >>> My pg_hba.conf file is configured with this: >>> hostssl all abc ::1/128 cert clientcert=1 >>> >>> I have put the root certificate generated by TinyCA along with the >>> server's certificate and key in the DATA directory as follows. >>> >>> sudo unzip database_server.zip >>> sudo mv sudo mv cacert.pem root.crt >>> sudo mv cert.pem server.crt >>> sudo openssl rsa -in key.pem -out server.key >>> sudo chmod 0600 server.key >>> sudo chmod ga=r root.crt >>> sudo chown postgres:postgres root.crt server.key server.crt >>> >>> Yet I am unable to start the server. This is what I get on startup: >>> >>> $ sudo /etc/init.d/postgresql start 9.0 >>> * Starting PostgreSQL 9.0 database server >>> * The PostgreSQL server failed to start. Please check the log output: >>> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked >>> if a root certificate store is available >>> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present >>> and readable. >>> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file >>> "/etc/postgresql/9.0/main/pg_hba.conf" >>> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf >>> >>> Interestingly, the root.crt file is very much present and readable: >>> >>> $ ll >>> <snip> >>> -rw-r--r-- 1 postgres postgres 143 2010-12-01 17:06 pg_ctl.conf >>> -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf >>> -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf >>> -rw-r--r-- 1 postgres postgres 18K 2011-02-07 18:38 postgresql.conf >>> -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt >>> -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt >>> -rw------- 1 postgres postgres 891 2011-03-17 16:18 server.key >>> -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted >>> >>> What is going on? What do I have to do for this certificate to load??? >>> >> >> -- >> Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-novice >> >
В списке pgsql-novice по дате отправления: