SSL auth problem

Vitaliyi wrote:

I'm trying to setup SSL auth.

creating CA:

openssl genrsa -out our.key 2048
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt

then I copy root.crt on postgresql host and to client host in
~/.postgresql

generating another key on server:

openssl genrsa -out server.key 2048
then request for signing to CA:
openssl req -new -key server.key -out server.req

signing on CA:

openssl req -x509 -in server.req -text -key our.key -out server.crt

now in postgresql data dir following files:

server.crt
server.key
root.crt
and blank root.crl

on client host:

cd ~/.postgresql
openssl genrsa -out postgresql.key 2048
then signing with our.key on CA and placing postgresql.crt, root.crt
to ~/.postgresql

This is my picture of what is happening:

1. we using our CA public key to generate root.crt:

root_signature = ca_pub_key**ca_priv_key % n

2. on postgres server creating key-pair and signing public key on CA, receiving
server_signature (server.crt):

server_signature = server_pub_key**root_priv_key % n

Client using server_signature before encrypting and sending message to server:

server_pub_key = server_signature**root_pub_key % n

if server_pub_key is valid then user encrypting message with server_pub_key.

3. Client generating his own key-pair and asking our CA to
sign his public key.

client_signature = client_pub_key**ca_priv_key % n

client_signature he writing to postgresql.crt, which server using when sending something
to client:

client_pub_key = client_signature**root_pub_key % n

If everything is correct, than why psql complaining:

psql "dbname=me sslmode=require host=postgres_server user=me"
psql: SSL error: certificate verify failed

log on postgres_server:

postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1
alert unknown ca

I could not follow completely, so let me ask:

- Did you put the same thing in root.crt on both client and server?
- Does root.crt contain a self signed certificate?
- Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt?
- Are there any SSL messages in the server log file immediately after server startup?

Yours,
Laurenz Albe

Please, always CC: the list in your replies!

Vitaliyi wrote:

- Did you put the same thing in root.crt on both client and server?

yes

- Does root.crt contain a self signed certificate?

yes

- Does root.crt contain the certificate that was used to

sign server.crt and postgresql.crt?

yes

- Are there any SSL messages in the server log file

immediately after server startup?

LOG: SSL certificate revocation list file "root.crl" not found,
skipping: no SSL error reported
DETAIL: Certificates will not be checked against revocation list.

don't know where it looking for "root.crl", but it is in directory
with root.crt and server.key, server.crt

That should be harmless...

Let me reexamine your original mail:

generating another key on server:

[...]

signing on CA:
openssl req -x509 -in server.req -text -key our.key -out server.crt

That's the problem, I think.

With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").

What you need is a certificate signed by root.crt.

You can do it like this:

openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt

See if that gets rid of the message!

Yours,
Laurenz Albe

don't know where it looking for "root.crl", but it is in directory
with root.crt and server.key, server.crt

That should be harmless...

removed root.crl. the same effect

Let me reexamine your original mail:

generating another key on server:

[...]

signing on CA:
openssl req -x509 -in server.req -text -key our.key -out server.crt

That's the problem, I think.

With this statement you generate a self signed certificate from server.req
(check with "openssl x509 -in server.crt -text -noout").

What you need is a certificate signed by root.crt.

You can do it like this:

openssl x509 -req -in server.req -CA root.crt -CAkey our.key -CAcreateserial -out server.crt

See if that gets rid of the message!

another error appeared:

psql: SSL error: sslv3 alert bad certificate

so I started from beginning:
on CA:
openssl genrsa -out our.key 2048

creating self-signed serificate:
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt

copied root.crt to client and postgres server

on server:
openssl genrsa -out server.key 2048

on CA:
openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out server.crt

on client:
openssl genrsa -out postgresql.key 2048
openssl req -new -key postgresql.key -out cl.req

on CA:
openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out postgresql.crt

files on client host:
postgresql.crt (signed by CA, -- root.crt)
postgresql.key (client private and public keys)
root.crt

files on postgresql server:
server.key (priv and pub keys)
server.crt (signed by root CA)
root.crt

stopped postgresql and started again

on client:

psql "dbname=me sslmode=require host=postgresql_host user=me"
psql: SSL error: sslv3 alert bad certificate

on server in logs:
postgres[29299]: [3-1] LOG: could not accept SSL connection: no
certificate returned

where I was wrong? : (

Vitaliyi wrote:

another error appeared:

psql: SSL error: sslv3 alert bad certificate

so I started from beginning:
on CA:
openssl genrsa -out our.key 2048

creating self-signed serificate:
openssl req -new -key our.key -out our.req
openssl req -x509 -in our.req -text -key our.key -out root.crt

It does not cause an error, but omit -text.

copied root.crt to client and postgres server

on server:
openssl genrsa -out server.key 2048

You forgot here:
openssl req -new -key server.key -out /tmp/server.req

on CA:
openssl x509 -req -in /tmp/server.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out server.crt

on client:
openssl genrsa -out postgresql.key 2048
openssl req -new -key postgresql.key -out cl.req

on CA:
openssl x509 -req -in /tmp/cl.req -CA ./root.crt -CAkey our.key
-CAcreateserial -out postgresql.crt

files on client host:
postgresql.crt (signed by CA, -- root.crt)
postgresql.key (client private and public keys)

Did you make sure that postgresql.key has permissions 0600?

root.crt

files on postgresql server:
server.key (priv and pub keys)

Did you make sure that server.key has permissions 0600?

server.crt (signed by root CA)
root.crt

stopped postgresql and started again

on client:

psql "dbname=me sslmode=require host=postgresql_host user=me"
psql: SSL error: sslv3 alert bad certificate

That means, I guess, that the client does not like its certificate files.

Check that they are ok, with something like

openssl x509 -noout -dates -issuer -subject -in root.crt
or
openssl x509 -noout -text -in root.crt

Same for root.crt.

Yours,
Laurenz Albe

It does not cause an error, but omit -text.

done

Did you make sure that postgresql.key has permissions 0600?

of course. otherwise it shows warning

files on postgresql server:
server.key (priv and pub keys)

Did you make sure that server.key has permissions 0600?

yes

psql: SSL error: sslv3 alert bad certificate

That means, I guess, that the client does not like its certificate files.

Check that they are ok, with something like

openssl x509 -noout -dates -issuer -subject -in root.crt
or
openssl x509 -noout -text -in root.crt

Same for root.crt.

%openssl x509 -noout -dates -issuer -subject -in postgresql.crt

notBefore=May 16 13:55:49 2008 GMT
notAfter=Jun 15 13:55:49 2008 GMT
issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com
subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty
Ltd/CN=localhost/emailAddress=imgrey@gmail.com

%openssl x509 -noout -dates -issuer -subject -in root.crt
notBefore=May 16 13:49:57 2008 GMT
notAfter=Jun 15 13:49:57 2008 GMT
issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com
subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com

btw, the same:

psql: SSL error: sslv3 alert bad certificate

postgres[29563]: [3-1] LOG: could not accept SSL connection: no
certificate returned

Vitaliyi wrote:

%openssl x509 -noout -dates -issuer -subject -in postgresql.crt

notBefore=May 16 13:55:49 2008 GMT
notAfter=Jun 15 13:55:49 2008 GMT
issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com
subject= /C=UK/ST=Some-State/L=Kiev/O=Internet Widgits Pty
Ltd/CN=localhost/emailAddress=imgrey@gmail.com

%openssl x509 -noout -dates -issuer -subject -in root.crt
notBefore=May 16 13:49:57 2008 GMT
notAfter=Jun 15 13:49:57 2008 GMT
issuer= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com
subject= /C=UK/ST=Some-State/L=Kiev/O=0x2A/CN=80.93.122.34/emailAddress=support@0x2a-dc.com

btw, the same:

psql: SSL error: sslv3 alert bad certificate

postgres[29563]: [3-1] LOG: could not accept SSL connection: no
certificate returned

Could you also check the key files with

openssl rsa -in postgresql.key

and

openssl rsa -in server.key

and server.crt as you did above?

If they are all ok, I don't know what could be causing the error.

All that is obvious from the error message is that the client side
complains that a certificate is not ok (don't know if client, server or CA
certificate).

One last straw: is it between May 16 and June 15 on both machines involved?

Yours,
Laurenz Albe