Windows default directory for client certificates
PostgreSQL documentation at
http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
says that when a client certificate is requested by a server, a windows
client psql will use by default the credentials located at
%APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key
However, my psql client application (v 9.5.0) in a Windows Server 2012 R2
cannot find the certificates in this location and only works when this
location is specifically set using the sslcert and sslkey attributes when
connecting. Is this a bug or am I using a wrong path?
This an example of execution:
-------------------------------------------
C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql
"postgresql://postgres@localhost/postgres"
psql: FATAL: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host "::1", user "postgres",
database"postgres", SSL off
C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql
"postgresql://postgres@localhost/postgres?sslkey=postgresql\postgresql.key&sslcert=postgresql\postgresql.crt"
psql (9.5.0)
SSL connection (protocol: TLSv1.2, cipher:
ECDHE-RSA-AES256-GCM-SHA384,bits: 256, compression: off)
Type "help" for help.
postgres=#
--------------------------------
cheers
Lupi Loop wrote:
PostgreSQL documentation at http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
says that when a client certificate is requested by a server, a windows client psql will use by
default the credentials located at %APPDATA%\postgresql\postgresql.crt and
%APPDATA%\postgresql\postgresql.keyHowever, my psql client application (v 9.5.0) in a Windows Server 2012 R2 cannot find the certificates
in this location and only works when this location is specifically set using the sslcert and sslkey
attributes when connecting. Is this a bug or am I using a wrong path?This an example of execution:
-------------------------------------------
C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql "postgresql://postgres@localhost/postgres"
psql: FATAL: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host "::1", user "postgres", database"postgres", SSL offC:\Program Files\PostgreSQL\9.5\data> ..\bin\psql
"postgresql://postgres@localhost/postgres?sslkey=postgresql\postgresql.key&sslcert=postgresql\postgres
ql.crt"
psql (9.5.0)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384,bits: 256, compression: off)
Type "help" for help.
postgres=#
--------------------------------
cheers
To make this work, you will have to have a root certificate "root.crt" in the
server's data directory and the configuration parameter "ssl_ca_file" set to "root.crt".
The corresponding line in pg_hba.conf should look like this:
hostssl <dbname> <user> <client IP>/32 md5 clientcert=1
Then you have to restart the server.
But I guess you have done that since it works if you specify the files explicitly.
Perhaps you are not in the %APPDATA% directory.
What do you get when you type
echo %APPDATA%
on the command prompt?
One possibility to investigate this is to run "Process Monitor" and add the filters
"Process Name is psql.exe" and "Patch ends with postgresql.key".
Then you should see where psql looks for the client key.
Yours,
Laurenz Albe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Thank you very much for your answer Laurenz, I was storing the client
certificates in PGDATA (C:\Program Files\PostgreSQL\9.5\data\) instead of
in APPDATA (C:\Users\XXX\AppData\Roaming).
Problem solved.
Thank you
2016-03-09 11:45 GMT+01:00 Albe Laurenz <laurenz.albe@wien.gv.at>:
Show quoted text
Lupi Loop wrote:
PostgreSQL documentation at
http://www.postgresql.org/docs/9.5/static/libpq-ssl.html
says that when a client certificate is requested by a server, a windows
client psql will use by
default the credentials located at %APPDATA%\postgresql\postgresql.crt
and
%APPDATA%\postgresql\postgresql.key
However, my psql client application (v 9.5.0) in a Windows Server 2012
R2 cannot find the certificates
in this location and only works when this location is specifically set
using the sslcert and sslkey
attributes when connecting. Is this a bug or am I using a wrong path?
This an example of execution:
-------------------------------------------
C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql"postgresql://postgres@localhost/postgres"
psql: FATAL: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host "::1", user "postgres",database"postgres", SSL off
C:\Program Files\PostgreSQL\9.5\data> ..\bin\psql
"postgresql://postgres@localhost/postgres?sslkey=postgresql\postgresql.key&sslcert=postgresql\postgres
ql.crt"
psql (9.5.0)
SSL connection (protocol: TLSv1.2, cipher:ECDHE-RSA-AES256-GCM-SHA384,bits: 256, compression: off)
Type "help" for help.
postgres=#
--------------------------------
cheersTo make this work, you will have to have a root certificate "root.crt" in
the
server's data directory and the configuration parameter "ssl_ca_file" set
to "root.crt".The corresponding line in pg_hba.conf should look like this:
hostssl <dbname> <user> <client IP>/32 md5 clientcert=1Then you have to restart the server.
But I guess you have done that since it works if you specify the files
explicitly.Perhaps you are not in the %APPDATA% directory.
What do you get when you type
echo %APPDATA%
on the command prompt?One possibility to investigate this is to run "Process Monitor" and add
the filters
"Process Name is psql.exe" and "Patch ends with postgresql.key".
Then you should see where psql looks for the client key.Yours,
Laurenz Albe