
<div dir="ltr">HI <span style="font-size:12.8000001907349px">Christian.</span><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Thanks for pointing out the issue. Handling of certification chain was missing from <span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1">pgpool</span>-II, so it was not honoring the intermediate certificates. </span><span style="font-size:12.8000001907349px">I have pushed the fix</span><span style="font-size:12.8000001907349px"> in all branches from pgpool-II V3.0 onward.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><a href="http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4">http://git.<span class="" id=":2bc.3" tabindex="-1">postgresql</span>.org/<span class="" id=":2bc.4" tabindex="-1">gitweb</span>/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4</a></span><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Thanks</span></div><div><span style="font-size:12.8000001907349px">Kind regards!</span></div><div><span style="font-size:12.8000001907349px">Muhammad <span class="" id=":2bc.5" tabindex="-1">Usama</span></span></div><div><span style="font-size:12.8000001907349px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 25, 2014 at 8:44 PM, Christian Affolter <span dir="ltr"><<a href="mailto:c.affolter@stepping-stone.ch" target="_blank">c.affolter@stepping-stone.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>

<br>

thanks for your help. According to the documentation [1] "ssl_ca_cert"<br>

and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)<br>

certificate verification. Nevertheless, I gave it a shot without success.<br>

<br>

Regards<br>

Christian<br>

<br>

<br>

[1] <a href="http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT" target="_blank">http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT</a><br>

<div class="HOEnZb"><div class="h5"><br>

On 25.11.2014 16:12, Lachezar Dobrev wrote:<br>

>   Shouldn't you be using<br>

>    ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'<br>

><br>

>   Instead of the<br>

>    ssl_ca_cert_dir = '...'<br>

><br>

><br>

> 2014-11-25 12:46 GMT+02:00 Christian Affolter <<a href="mailto:c.affolter@stepping-stone.ch">c.affolter@stepping-stone.ch</a>>:<br>

>> Dear pgpool users<br>

>><br>

>> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client<br>

>> and the pgpool daemon). The SSL certificate is signed by an official<br>

>> certificate authority.<br>

>><br>

>> The path to the SSL root CA certs is set and SSL verification is activated:<br>

>> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"<br>

>> PGSSLMODE="verify-full"<br>

>><br>

>> Whenever I try to connect to the pgpool-II server with the psql client,<br>

>> I get a "psql: SSL error: certificate verify failed" error.<br>

>><br>

>> ca-certificates.crt contains the correct Root CA certificate.<br>

>><br>

>><br>

>> The chain of trust looks as follows:<br>

>> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA<br>

>><br>

>><br>

>> The SSL connection settings of pgpool.conf:<br>

>><br>

>> ssl = on<br>

>> ssl_key  = '/etc/ssl/pgpool2/host.example.com.key.pem'<br>

>> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'<br>

>> #ssl_ca_cert = ''<br>

>> ssl_ca_cert_dir = '/etc/ssl/certs'<br>

>><br>

>><br>

>> "host.example.com.key.pem" contains the private key whereas<br>

>> "host.example.com.bundle.pem" contains the x509 certificate and all<br>

>> involved CA certificates. It was created in the following order:<br>

>><br>

>> cat host.example.com.cert.pem   >  host.example.com.bundle.pem<br>

>> cat Intermediate-CA-1.cert.pem  >> host.example.com.bundle.pem<br>

>> cat Intermediate-CA-2.cert.pem  >> host.example.com.bundle.pem<br>

>> cat Root-CA.cert.pem            >> host.example.com.bundle.pem<br>

>><br>

>><br>

>> The verification works correct, if I explicitly create a CA file with<br>

>> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...<br>

>><br>

>> Furthermore, I can use the same "host.example.com.bundle.pem" file<br>

>> within the PostgreSQL server, with only the Root CA known to the client<br>

>> (the original command).<br>

>><br>

>><br>

>> Does anyone know on how to correctly deal with intermediate CA<br>

>> certificates within pgpool-II, so that pgpool sends the intermediate<br>

>> certificates along with the server certificate?<br>

>><br>

>><br>

>> Many thanks in advance<br>

>> Christian<br>

<br>

_______________________________________________<br>

pgpool-general mailing list<br>

<a href="mailto:pgpool-general@pgpool.net">pgpool-general@pgpool.net</a><br>

<a href="http://www.pgpool.net/mailman/listinfo/pgpool-general" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-general</a><br>

</div></div></blockquote></div><br></div>