Обсуждение: SSL root.crt not loading
Hello everyone, I'm a postgres n00b and I'm trying to configure my installation to work with certificate authentication. It is not working for me, and it seems that the sysadmin community doesn't have any hints for me either :( I am reposting my question on ServerFault in hopes that a psql guru will read it (see http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading) I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am using OpenSSL 0.9.8o. I have generated keys and certificates using TinyCA2 for both a pg server and the psql client. I essentially followed the instructions. My pg_hba.conf file is configured with this: hostssl all abc ::1/128 cert clientcert=1 I have put the root certificate generated by TinyCA along with the server's certificate and key in the DATA directory as follows. sudo unzip database_server.zip sudo mv sudo mv cacert.pem root.crt sudo mv cert.pem server.crt sudo openssl rsa -in key.pem -out server.key sudo chmod 0600 server.key sudo chmod ga=r root.crt sudo chown postgres:postgres root.crt server.key server.crt Yet I am unable to start the server. This is what I get on startup: $ sudo /etc/init.d/postgresql start 9.0 * Starting PostgreSQL 9.0 database server * The PostgreSQL server failed to start. Please check the log output: 2011-03-17 16:39:13 IST LOG: client certificates can only be checked if a root certificate store is available 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present and readable. 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file "/etc/postgresql/9.0/main/pg_hba.conf" 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf Interestingly, the root.crt file is very much present and readable: $ ll <snip> -rw-r--r-- 1 postgres postgres 143 2010-12-01 17:06 pg_ctl.conf -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf -rw-r--r-- 1 postgres postgres 18K 2011-02-07 18:38 postgresql.conf -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt -rw------- 1 postgres postgres 891 2011-03-17 16:18 server.key -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted What is going on? What do I have to do for this certificate to load??? -- Marc-André Laverdière Software Security Scientist Innovation Labs, Tata Consultancy Services Hyderabad, India
Anyone??? Marc-André Laverdière Software Security Scientist Innovation Labs, Tata Consultancy Services Hyderabad, India On Monday 28 March 2011 10:23 AM, Marc-André Laverdière wrote: > Hello everyone, > > I'm a postgres n00b and I'm trying to configure my installation to work > with certificate authentication. > > It is not working for me, and it seems that the sysadmin community > doesn't have any hints for me either :( > > I am reposting my question on ServerFault in hopes that a psql guru will > read it (see > http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading) > > I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am > using OpenSSL 0.9.8o. > > I have generated keys and certificates using TinyCA2 for both a pg > server and the psql client. I essentially followed the instructions. > > My pg_hba.conf file is configured with this: > hostssl all abc ::1/128 cert clientcert=1 > > I have put the root certificate generated by TinyCA along with the > server's certificate and key in the DATA directory as follows. > > sudo unzip database_server.zip > sudo mv sudo mv cacert.pem root.crt > sudo mv cert.pem server.crt > sudo openssl rsa -in key.pem -out server.key > sudo chmod 0600 server.key > sudo chmod ga=r root.crt > sudo chown postgres:postgres root.crt server.key server.crt > > Yet I am unable to start the server. This is what I get on startup: > > $ sudo /etc/init.d/postgresql start 9.0 > * Starting PostgreSQL 9.0 database server > * The PostgreSQL server failed to start. Please check the log output: > 2011-03-17 16:39:13 IST LOG: client certificates can only be checked > if a root certificate store is available > 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present > and readable. > 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file > "/etc/postgresql/9.0/main/pg_hba.conf" > 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf > > Interestingly, the root.crt file is very much present and readable: > > $ ll > <snip> > -rw-r--r-- 1 postgres postgres 143 2010-12-01 17:06 pg_ctl.conf > -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf > -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf > -rw-r--r-- 1 postgres postgres 18K 2011-02-07 18:38 postgresql.conf > -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt > -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt > -rw------- 1 postgres postgres 891 2011-03-17 16:18 server.key > -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted > > What is going on? What do I have to do for this certificate to load??? >
You need to change permissions to get your postmaster working. "To start in SSL mode, the files server.crt and server.key must exist in the server's data directory. These files should contain the server certificate and private key, respectively. On Unix systems, the permissions on server.key must disallow any access to world or group; achieve this by the command chmod 0600 server.key. If the private key is protected with a passphrase, the server will prompt for the passphrase and will not start until it has been entered." 2011/4/25 Marc-André Laverdière <marc-andre@atc.tcs.com>: > Anyone??? > > Marc-André Laverdičre > Software Security Scientist > Innovation Labs, Tata Consultancy Services > Hyderabad, India > > On Monday 28 March 2011 10:23 AM, Marc-André Laverdičre wrote: >> Hello everyone, >> >> I'm a postgres n00b and I'm trying to configure my installation to work >> with certificate authentication. >> >> It is not working for me, and it seems that the sysadmin community >> doesn't have any hints for me either :( >> >> I am reposting my question on ServerFault in hopes that a psql guru will >> read it (see >> http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading) >> >> I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am >> using OpenSSL 0.9.8o. >> >> I have generated keys and certificates using TinyCA2 for both a pg >> server and the psql client. I essentially followed the instructions. >> >> My pg_hba.conf file is configured with this: >> hostssl all abc ::1/128 cert clientcert=1 >> >> I have put the root certificate generated by TinyCA along with the >> server's certificate and key in the DATA directory as follows. >> >> sudo unzip database_server.zip >> sudo mv sudo mv cacert.pem root.crt >> sudo mv cert.pem server.crt >> sudo openssl rsa -in key.pem -out server.key >> sudo chmod 0600 server.key >> sudo chmod ga=r root.crt >> sudo chown postgres:postgres root.crt server.key server.crt >> >> Yet I am unable to start the server. This is what I get on startup: >> >> $ sudo /etc/init.d/postgresql start 9.0 >> * Starting PostgreSQL 9.0 database server >> * The PostgreSQL server failed to start. Please check the log output: >> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked >> if a root certificate store is available >> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present >> and readable. >> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file >> "/etc/postgresql/9.0/main/pg_hba.conf" >> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf >> >> Interestingly, the root.crt file is very much present and readable: >> >> $ ll >> <snip> >> -rw-r--r-- 1 postgres postgres 143 2010-12-01 17:06 pg_ctl.conf >> -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf >> -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf >> -rw-r--r-- 1 postgres postgres 18K 2011-02-07 18:38 postgresql.conf >> -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt >> -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt >> -rw------- 1 postgres postgres 891 2011-03-17 16:18 server.key >> -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted >> >> What is going on? What do I have to do for this certificate to load??? >> > > -- > Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-novice >
Permissions are OK. I have working: -rw-r--r-- 1 postgres postgres 615 2011-04-25 16:23 root.crt -rw------- 1 postgres postgres 692 2011-04-25 17:20 server.crt -rw------- 1 postgres postgres 887 2011-04-25 17:17 server.key Try to put this files in data directory (/var/lib/postgres/9.0/{clustername}), not config directory (/etc/postgres/9.0/{clustername}). When cluster is created there is automatically provided snakeoil server.key and server.crt in data directory, but there is not root.crt provided. Propably you put your certs in config directory. 2011/4/25 Grzegorz Szpetkowski <gszpetkowski@gmail.com>: > You need to change permissions to get your postmaster working. > > "To start in SSL mode, the files server.crt and server.key must exist > in the server's data directory. These files should contain the server > certificate and private key, respectively. On Unix systems, the > permissions on server.key must disallow any access to world or group; > achieve this by the command chmod 0600 server.key. If the private key > is protected with a passphrase, the server will prompt for the > passphrase and will not start until it has been entered." > > 2011/4/25 Marc-André Laverdière <marc-andre@atc.tcs.com>: >> Anyone??? >> >> Marc-André Laverdičre >> Software Security Scientist >> Innovation Labs, Tata Consultancy Services >> Hyderabad, India >> >> On Monday 28 March 2011 10:23 AM, Marc-André Laverdičre wrote: >>> Hello everyone, >>> >>> I'm a postgres n00b and I'm trying to configure my installation to work >>> with certificate authentication. >>> >>> It is not working for me, and it seems that the sysadmin community >>> doesn't have any hints for me either :( >>> >>> I am reposting my question on ServerFault in hopes that a psql guru will >>> read it (see >>> http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading) >>> >>> I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am >>> using OpenSSL 0.9.8o. >>> >>> I have generated keys and certificates using TinyCA2 for both a pg >>> server and the psql client. I essentially followed the instructions. >>> >>> My pg_hba.conf file is configured with this: >>> hostssl all abc ::1/128 cert clientcert=1 >>> >>> I have put the root certificate generated by TinyCA along with the >>> server's certificate and key in the DATA directory as follows. >>> >>> sudo unzip database_server.zip >>> sudo mv sudo mv cacert.pem root.crt >>> sudo mv cert.pem server.crt >>> sudo openssl rsa -in key.pem -out server.key >>> sudo chmod 0600 server.key >>> sudo chmod ga=r root.crt >>> sudo chown postgres:postgres root.crt server.key server.crt >>> >>> Yet I am unable to start the server. This is what I get on startup: >>> >>> $ sudo /etc/init.d/postgresql start 9.0 >>> * Starting PostgreSQL 9.0 database server >>> * The PostgreSQL server failed to start. Please check the log output: >>> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked >>> if a root certificate store is available >>> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present >>> and readable. >>> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file >>> "/etc/postgresql/9.0/main/pg_hba.conf" >>> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf >>> >>> Interestingly, the root.crt file is very much present and readable: >>> >>> $ ll >>> <snip> >>> -rw-r--r-- 1 postgres postgres 143 2010-12-01 17:06 pg_ctl.conf >>> -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf >>> -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf >>> -rw-r--r-- 1 postgres postgres 18K 2011-02-07 18:38 postgresql.conf >>> -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt >>> -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt >>> -rw------- 1 postgres postgres 891 2011-03-17 16:18 server.key >>> -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted >>> >>> What is going on? What do I have to do for this certificate to load??? >>> >> >> -- >> Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-novice >> >
=?ISO-8859-1?Q?Marc-Andr=E9_Laverdi=E8re?= <marc-andre@atc.tcs.com> writes: >> My pg_hba.conf file is configured with this: >> hostssl all abc ::1/128 cert clientcert=1 >> Yet I am unable to start the server. This is what I get on startup: >> $ sudo /etc/init.d/postgresql start 9.0 >> * Starting PostgreSQL 9.0 database server >> * The PostgreSQL server failed to start. Please check the log output: >> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked >> if a root certificate store is available >> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present >> and readable. >> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file >> "/etc/postgresql/9.0/main/pg_hba.conf" >> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf Hmm, did you remember to set ssl = on in postgresql.conf? While experimenting I accidentally found out it will react like this if it finds clientcert=1 in pg_hba.conf but SSL wasn't enabled in postgresql.conf. Needless to say, that's not a very friendly error response --- will see about improving it. regards, tom lane
I think that ssl mode is enabled by default in Ubuntu package and there are snakeoil certs provided in data directory (var/lib/postgresql/9.0/main): lrwxrwxrwx 1 root root 36 2011-04-25 16:34 server.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem lrwxrwxrwx 1 root root 38 2011-04-25 16:34 server.key -> /etc/ssl/private/ssl-cert-snakeoil.key Since there is no root.crt in data directory postmaster fails to start. I think that PostgreSQL can't "see" certs in config directory (/etc/postgresql/9.0/main) In Ubuntu package there is config directory and data directory, so I think that OP should put certs to data dir, not config dir: Regards, Greg Szpetkowski 2011/4/25 Tom Lane <tgl@sss.pgh.pa.us>: > =?ISO-8859-1?Q?Marc-Andr=E9_Laverdi=E8re?= <marc-andre@atc.tcs.com> writes: >>> My pg_hba.conf file is configured with this: >>> hostssl all abc ::1/128 cert clientcert=1 > >>> Yet I am unable to start the server. This is what I get on startup: > >>> $ sudo /etc/init.d/postgresql start 9.0 >>> * Starting PostgreSQL 9.0 database server >>> * The PostgreSQL server failed to start. Please check the log output: >>> 2011-03-17 16:39:13 IST LOG: client certificates can only be checked >>> if a root certificate store is available >>> 2011-03-17 16:39:13 IST HINT: Make sure the root.crt file is present >>> and readable. >>> 2011-03-17 16:39:13 IST CONTEXT: line 93 of configuration file >>> "/etc/postgresql/9.0/main/pg_hba.conf" >>> 2011-03-17 16:39:13 IST FATAL: could not load pg_hba.conf > > Hmm, did you remember to set ssl = on in postgresql.conf? While > experimenting I accidentally found out it will react like this if > it finds clientcert=1 in pg_hba.conf but SSL wasn't enabled in > postgresql.conf. Needless to say, that's not a very friendly error > response --- will see about improving it. > > regards, tom lane > > -- > Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-novice >