SSL Certificates in Windows 7 & Postgres 9.3

On 12/15/2014 11:41 AM, harpagornis wrote:

I am trying to connect using SSL in Windows 7 and Postgres v9.3. The console
output error message is "Failed to establish a connection to 127.0.0.1" The
error message from the pg_log is:
-----------------------------------------------------------
2014-12-15 19:20:24 GMT FATAL: connection requires a valid client
certificate
2014-12-15 19:20:25 GMT FATAL: connection requires a valid client
certificate
2014-12-15 19:20:26 GMT FATAL: no pg_hba.conf entry for host "127.0.0.1",
user "SYSTEM", database "postgres", SSL off
2014-12-15 19:20:55 GMT LOG: could not accept SSL connection: No connection
could be made because the target machine actively refused it.
-----------------------------------------------------------
This is the connection string from the console app.

string conStr =
"Server=127.0.0.01; " +
"User Id=my_role; " +
"Password=''; " +
"Database=dbname; " +
"SSL=True; " +
"Sslmode=Require; ";

-----------------------------------------------------------
This is the pg_hba.conf
hostssl all all 127.0.0.1/32 cert clientcert=1
hostssl all all ::1/128 cert clientcert=1
-----------------------------------------------------------
This is the postgresql.conf

listen_addresses = '*'
port = 5432
max_connections = 100
ssl = on
ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'
ssl_renegotiation_limit = 512MB
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
password_encryption = off
shared_buffers = 128MB
-----------------------------------------------------------
I followed all documentation for creating the certificates, ie.
-----------------------------------------------------------
Server Side
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new –key server.key -days 3650 -out server.crt –config
"D:\openssl\v9.8\openssl.cnf”
-----------------------------------------------------------
Client Side
openssl genrsa -des3 -out postgresql.key 2048
openssl rsa -in postgresql.key -out postgres.key
openssl req -new -key postgresql.key -out postgresql.csr –config
"D:\openssl\v9.8\openssl.cnf”
copy server.crt root.crt
openssl x509 -req -in postgresql.csr -CA root.crt -CAkey server.key -out
postgresql.crt -CAcreateserial
----------------------------------------------------------
Windows Pkcs12 file:
openssl pkcs12 -export -out postgrcli.p12 -name "My Certificate" -in
postgresql.crt
-inkey postgresql.key
-----------------------------------------------------------
The Visual Studio solution includes as a project / reference, the source
code of Npgsql v2.2.0.
However, the program never reaches any of the breakpoints I put throughout
the Npgsql code .
-----------------------------------------------------------
I really need some help, please. Any suggestions? I have scoured the
documentation and the internet. Maybe I can try a psql command. What would
that command be with the certificate included? Thank you in advance.

Did you set the CN of the client certificate to the user that you are
connecting as. For a good run through/explanation see:

http://www.howtoforge.com/postgresql-ssl-certificates

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Yes, I set the CN to 127.0.0.1 for all certificates. I verified that for all
certificates using openssl verify. I can connect o.k. without the SSL.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830768.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 12/15/2014 01:13 PM, harpagornis wrote:

Yes, I set the CN to 127.0.0.1 for all certificates. I verified that for all
certificates using openssl verify. I can connect o.k. without the SSL.

The CN needs to be the user not the IP address. Take a look at the link
I sent earlier, it is a great help.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830768.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

I changed the CN in all the certificates from 127.0.0.1 "my_role", which is
the user id. Now the pg_log contains this:
---------------------------------------------------------------------------------------
2014-12-15 22:28:04 GMT LOG: database system was shut down at 2014-12-15
22:28:01 GMT
2014-12-15 22:28:04 GMT LOG: database system is ready to accept connections
2014-12-15 22:28:04 GMT LOG: autovacuum launcher started
2014-12-15 22:28:05 GMT FATAL: the database system is starting up
2014-12-15 22:28:06 GMT FATAL: connection requires a valid client
certificate
2014-12-15 22:28:06 GMT FATAL: no pg_hba.conf entry for host "127.0.0.1",
user "SYSTEM", database "postgres", SSL off

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830783.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

harpagornis wrote

I changed the CN in all the certificates from 127.0.0.1 "my_role", which
is the user id. Now the pg_log contains this:
---------------------------------------------------------------------------------------
2014-12-15 22:28:04 GMT LOG: database system was shut down at 2014-12-15
22:28:01 GMT
2014-12-15 22:28:04 GMT LOG: database system is ready to accept
connections
2014-12-15 22:28:04 GMT LOG: autovacuum launcher started
2014-12-15 22:28:05 GMT FATAL: the database system is starting up
2014-12-15 22:28:06 GMT FATAL: connection requires a valid client
certificate
2014-12-15 22:28:06 GMT FATAL: no pg_hba.conf entry for host "127.0.0.1",
user "SYSTEM", database "postgres", SSL off

The first question I'd ask is who this "SYSTEM" user is. I don't recall
that any PostgreSQL code identifies itself as "SYSTEM" but given how quickly
it attempts to connect I may simply be mistaken. Regardless, you either
need to get "SYSTEM" to use an SSL client certificate or create an
pg_hba.conf entry that will allow it to connect without one.

David J.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830784.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 12/15/2014 02:36 PM, harpagornis wrote:

I changed the CN in all the certificates from 127.0.0.1 "my_role", which is
the user id. Now the pg_log contains this:
---------------------------------------------------------------------------------------
2014-12-15 22:28:04 GMT LOG: database system was shut down at 2014-12-15
22:28:01 GMT
2014-12-15 22:28:04 GMT LOG: database system is ready to accept connections
2014-12-15 22:28:04 GMT LOG: autovacuum launcher started
2014-12-15 22:28:05 GMT FATAL: the database system is starting up
2014-12-15 22:28:06 GMT FATAL: connection requires a valid client
certificate
2014-12-15 22:28:06 GMT FATAL: no pg_hba.conf entry for host "127.0.0.1",
user "SYSTEM", database "postgres", SSL off

Well something is trying to connect not using SSL. Previously you showed
your pg_hba.conf as:

This is the pg_hba.conf
hostssl all all 127.0.0.1/32 cert clientcert=1
hostssl all all ::1/128 cert clientcert=1

If that is all of it there is no provision for a non-SSL connection.

The question then is who is "SYSTEM" user?

Is it the same as my_role or is something else?

Best guess is that there is a system user trying to connect in your setup.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830783.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Yes, I did intend for only SSL connections. The console app must be the
SYSTEM user then, directly or maybe indirectly through the Windows
Certificate Store. I already added root.crt to the trusted certificates
through Windows MMC. Here is my console app, in which I provide the
certificate, so what else needs to be done?
-----------------------------------------------------------------------------
NpgsqlConnection conn = new NpgsqlConnection(conStr);

conn.ProvideClientCertificatesCallback += new
ProvideClientCertificatesCallback(MyProvideClientCertificates);

/*This callback simply returns true indicating you are accepting the server
certificate. Obviously, returning true without doing any validation should
be done for testing purposes only. */

conn.ValidateRemoteCertificateCallback += (a, b, c) => { return true; };
try
{
conn.Open();
System.Console.WriteLine("Connection opened");
}

catch (Exception e)
{
System.Console.WriteLine(e);
}

finally
{
conn.Close();
System.Console.ReadLine();
}
}

private static void MyProvideClientCertificates(X509CertificateCollection
clienteCertis)
{
const string clientcert = "d:\postgrclient.p12";
X509Certificate2 cert = new X509Certificate2(clientcert, "password",
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.MachineKeySet);

Console.WriteLine(cert.HasPrivateKey);
clienteCertis.Add(cert);
}

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830786.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

harpagornis wrote

The console app must be the SYSTEM user then, directly or maybe indirectly
through the Windows Certificate Store.

Doubtful.

The log also shows the attempt is to access the "postgres" database while
your provided connection string accesses "dbname"

You should probably start over and build up a simple "hello world" level
program that will let you more easily figure out which moving pieces are
giving you grief. Start without SSL, get stuff working, then add SSL pieces
one-by-one and checking application and PostgreSQL logs to see what reaction
you get at each point.

David J.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830788.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Adrian Klaver <adrian.klaver@aklaver.com> writes:

On 12/15/2014 02:36 PM, harpagornis wrote:

2014-12-15 22:28:06 GMT FATAL: connection requires a valid client
certificate
2014-12-15 22:28:06 GMT FATAL: no pg_hba.conf entry for host "127.0.0.1",
user "SYSTEM", database "postgres", SSL off

Well something is trying to connect not using SSL.

It might be that libpq is trying an SSL connection, it's not working,
and it immediately tries a non-SSL connection. It'd likely be worth
turning on log_connections to help debug this --- I think, but not
totally sure, that would record any such extra connection attempt.

The question then is who is "SYSTEM" user?

Yeah, that looks pretty fishy.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 12/15/2014 03:25 PM, harpagornis wrote:

Yes, I did intend for only SSL connections. The console app must be the
SYSTEM user then, directly or maybe indirectly through the Windows
Certificate Store. I already added root.crt to the trusted certificates
through Windows MMC. Here is my console app, in which I provide the
certificate, so what else needs to be done?

In addition to what David said I would probably ask on the Npgsql forum:

http://pgfoundry.org/forum/forum.php?forum_id=519&amp;group_id=1000140

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 12/15/2014 03:49 PM, Tom Lane wrote:

Adrian Klaver <adrian.klaver@aklaver.com> writes:

On 12/15/2014 02:36 PM, harpagornis wrote:

2014-12-15 22:28:06 GMT FATAL: connection requires a valid client
certificate
2014-12-15 22:28:06 GMT FATAL: no pg_hba.conf entry for host "127.0.0.1",
user "SYSTEM", database "postgres", SSL off

Well something is trying to connect not using SSL.

It might be that libpq is trying an SSL connection, it's not working,
and it immediately tries a non-SSL connection. It'd likely be worth
turning on log_connections to help debug this --- I think, but not
totally sure, that would record any such extra connection attempt.

The question then is who is "SYSTEM" user?

Yeah, that looks pretty fishy.

The OP said they are running the code in a Visual Studio project.

If I where to hazard a guess, what is happening is:

The project is opening a connection as 'SYSTEM', outside the OPs code,
to fetch system information from Postgres using the postgres database as
the connection point. This connection is not SSL and as you say is
failing over to non-SSL, except there is no non-SSL line in pg_hba.conf.

regards, tom lane

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Thank you all. Would something like Wireshark, WinPcap or WFetch show me
more about the SYSTEM connection?

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830806.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Ah! I figured out the pg_log error about "No pg_hba.conf entry for host
"127.0.0.1", user "SYSTEM", database "postgres", SSL off." That error
occurs when I go into Windows Component Services and restart postgres.

But, after I delete that pg_log file, there still is no connection and no
other pg_log errors. The console output is still, "Failed to establish a
connection to 127.0.0.1" I will post at PgFoundry.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830842.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 12/15/2014 09:54 PM, harpagornis wrote:

Ah! I figured out the pg_log error about "No pg_hba.conf entry for host
"127.0.0.1", user "SYSTEM", database "postgres", SSL off." That error
occurs when I go into Windows Component Services and restart postgres.

But, after I delete that pg_log file, there still is no connection and no
other pg_log errors. The console output is still, "Failed to establish a
connection to 127.0.0.1" I will post at PgFoundry.

Can you connect outside of Npgsl using psql?

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830842.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Right, I want to try connecting by psql, but the postgres documentation and
"psql -- help" do not list the syntax for providing the certificate. I
tried the following, but the error was : "Connection requires a valid
certificate"
----------------------------------------------------------------
$ psql postgresql://dbmaster:5433/mydb?sslmode=require
----------------------------------------------------------------
I also tried PgAdminIII after entering the certificate names in the
properties page for the localhost. The error in pg_log was, "could not
accept SSL connection: no certificate returned" I also got this error
message on the screen from the PgAdminIII program, "Error connecting to the
server: SSL error tlsv1 alert unknown ca."

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830955.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

O.K. I just found the environment variables for SSL, described in Man 31.14.
I will try that.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830961.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Trying to connect via psql, I looked at the documentation and around the web,
but could not find the right syntax for including all the SSL connection
variables on the psql command line. I tried using the URL-type psql
command, variations of this:
--------------------------------------------------------------
psql postgresql://localhost:5432/mydb?sslmode=require?sslcert=postgresql.crt
--------------------------------------------------------------
I wasn't sure if the question mark is supposed to precede each variable
(sslmode, sslcert, etc.)?
Since I could not get that syntax right, then I tried connecting with psql
the other way:
---------------------------------------------------------------
psql dbname=dbname user=my_role sslmode=verify-full sslcert=postgresql.crt
sslkey=postgresql.key sslrootcert=root.crt
----------------------------------------------------------------
The console output was:
"Warning command-line argument sslmode=verify-full ignored"
"Warning command-line argument sslcert=postgresql.crt ignored"
"Warning command-line argument sslkey=postgresql.key ignored"
"Warning command-line argument sslrootcert=root.crt ignored"
----------------------------------------------------------------
After lots of typing, and getting nowhere with either of those two methods,
I edited pg_env.bat to this:
------------------------------------------------------------
@SET PATH="C:\Program Files\PostgreSQL\9.3\bin";%PATH%
@SET PGDATA=D:\PostgresDat
@SET PGDATABASE=postgres
@SET PGUSER=postgres
@SET PGPORT=5432
@SET PGSSLCERT=D:\POSTGRESDAT\POSTGRESQL.CRT
@SET PGSSLKEY=D:\POSTGRESDAT\POSTGRESQL.KEY
@SET PGSSLROOTCERT=D:\POSTGRESDAT\ROOT.CRT
@SET PGSSLMODE=VERIFY-CA
@SET PGLOCALEDIR=C:\Program Files\PostgreSQL\9.3\share\locale
----------------------------------------------------------------
Then, I tried psql again, with fewer variables, like this: 'psql -d dbname
-U my_role'. The console output was this:
----------------------------------------------------------------
Sever closed the connection unexpectedly. This probably means the server
terminated abnormally before or while processing the request.
----------------------------------------------------------------
The pg_log had this:
the database system is starting up
autovacuum launcher started
connection requires a valid client certificate
no pg_hba.conf entry for host "127.0.0.1", user "SYSTEM", database
"postgres", SSL off
connection requires a valid client certificate
connection requires a valid client certificate
----------------------------------------------------------------
Any suggestions as to the correct psql syntax for connecting with SSL?
Thank you.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830985.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

harpagornis wrote

psql dbname=dbname user=my_role sslmode=verify-full sslcert=postgresql.crt
sslkey=postgresql.key sslrootcert=root.crt

This is a psql command with 6 input arguments/options specified

psql "dbname=dbname [...]" is a psql command with 1 input argument/option
specified which is treated as a "conninfo" string as documented at:

http://www.postgresql.org/docs/9.3/static/app-psql.html

I wasn't sure if the question mark is supposed to precede each variable
(sslmode, sslcert, etc.)?

You guessed wrong...admittedly the documentation assumes the reader knows
how the format of a URI...separate key=value pairs in the "query" part of
the URI (which is separated from the path by the aforementioned "?") are
separated by ";" or "&"

http://en.wikipedia.org/wiki/URI_scheme

David J.

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5830993.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Unless I am missing something, I still do not see where how / where to
specify sslcert, sslkey, root.crt in the psql command. The referenced links
don't much go beyond these input variables [ dbname [ username ] [ host ] [
port ] .

--
View this message in context: http://postgresql.nabble.com/SSL-Certificates-in-Windows-7-Postgres-9-3-tp5830749p5831006.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general