[pgpool-general: 3305] How to deal with intermediate CA certificates

Christian Affolter c.affolter at stepping-stone.ch
Tue Nov 25 19:46:26 JST 2014

Dear pgpool users

I'm running pgpool-II 3.4.0 with enabled SSL support (between the client
and the pgpool daemon). The SSL certificate is signed by an official
certificate authority.

The path to the SSL root CA certs is set and SSL verification is activated:

Whenever I try to connect to the pgpool-II server with the psql client,
I get a "psql: SSL error: certificate verify failed" error.

ca-certificates.crt contains the correct Root CA certificate.

The chain of trust looks as follows:
Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA

The SSL connection settings of pgpool.conf:

ssl = on
ssl_key  = '/etc/ssl/pgpool2/host.example.com.key.pem'
ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
#ssl_ca_cert = ''
ssl_ca_cert_dir = '/etc/ssl/certs'

"host.example.com.key.pem" contains the private key whereas
"host.example.com.bundle.pem" contains the x509 certificate and all
involved CA certificates. It was created in the following order:

cat host.example.com.cert.pem   >  host.example.com.bundle.pem
cat Intermediate-CA-1.cert.pem  >> host.example.com.bundle.pem
cat Intermediate-CA-2.cert.pem  >> host.example.com.bundle.pem
cat Root-CA.cert.pem            >> host.example.com.bundle.pem

The verification works correct, if I explicitly create a CA file with
all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...

Furthermore, I can use the same "host.example.com.bundle.pem" file
within the PostgreSQL server, with only the Root CA known to the client
(the original command).

Does anyone know on how to correctly deal with intermediate CA
certificates within pgpool-II, so that pgpool sends the intermediate
certificates along with the server certificate?

Many thanks in advance

More information about the pgpool-general mailing list