[pgpool-general: 3306] Re: How to deal with intermediate CA certificates

Lachezar Dobrev l.dobrev at gmail.com
Wed Nov 26 00:12:46 JST 2014 

  Shouldn't you be using
   ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'

  Instead of the
   ssl_ca_cert_dir = '...'


2014-11-25 12:46 GMT+02:00 Christian Affolter <c.affolter at stepping-stone.ch>:
> Dear pgpool users
>
> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client
> and the pgpool daemon). The SSL certificate is signed by an official
> certificate authority.
>
> The path to the SSL root CA certs is set and SSL verification is activated:
> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
> PGSSLMODE="verify-full"
>
> Whenever I try to connect to the pgpool-II server with the psql client,
> I get a "psql: SSL error: certificate verify failed" error.
>
> ca-certificates.crt contains the correct Root CA certificate.
>
>
> The chain of trust looks as follows:
> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
>
>
> The SSL connection settings of pgpool.conf:
>
> ssl = on
> ssl_key  = '/etc/ssl/pgpool2/host.example.com.key.pem'
> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
> #ssl_ca_cert = ''
> ssl_ca_cert_dir = '/etc/ssl/certs'
>
>
> "host.example.com.key.pem" contains the private key whereas
> "host.example.com.bundle.pem" contains the x509 certificate and all
> involved CA certificates. It was created in the following order:
>
> cat host.example.com.cert.pem   >  host.example.com.bundle.pem
> cat Intermediate-CA-1.cert.pem  >> host.example.com.bundle.pem
> cat Intermediate-CA-2.cert.pem  >> host.example.com.bundle.pem
> cat Root-CA.cert.pem            >> host.example.com.bundle.pem
>
>
> The verification works correct, if I explicitly create a CA file with
> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
>
> Furthermore, I can use the same "host.example.com.bundle.pem" file
> within the PostgreSQL server, with only the Root CA known to the client
> (the original command).
>
>
> Does anyone know on how to correctly deal with intermediate CA
> certificates within pgpool-II, so that pgpool sends the intermediate
> certificates along with the server certificate?
>
>
> Many thanks in advance
> Christian
> _______________________________________________
> pgpool-general mailing list
> pgpool-general at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-general

More information about the pgpool-general mailing list