[pgpool-general: 3306] Re: How to deal with intermediate CA certificates
l.dobrev at gmail.com
Wed Nov 26 00:12:46 JST 2014
Shouldn't you be using
ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
Instead of the
ssl_ca_cert_dir = '...'
2014-11-25 12:46 GMT+02:00 Christian Affolter <c.affolter at stepping-stone.ch>:
> Dear pgpool users
> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client
> and the pgpool daemon). The SSL certificate is signed by an official
> certificate authority.
> The path to the SSL root CA certs is set and SSL verification is activated:
> Whenever I try to connect to the pgpool-II server with the psql client,
> I get a "psql: SSL error: certificate verify failed" error.
> ca-certificates.crt contains the correct Root CA certificate.
> The chain of trust looks as follows:
> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
> The SSL connection settings of pgpool.conf:
> ssl = on
> ssl_key = '/etc/ssl/pgpool2/host.example.com.key.pem'
> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
> #ssl_ca_cert = ''
> ssl_ca_cert_dir = '/etc/ssl/certs'
> "host.example.com.key.pem" contains the private key whereas
> "host.example.com.bundle.pem" contains the x509 certificate and all
> involved CA certificates. It was created in the following order:
> cat host.example.com.cert.pem > host.example.com.bundle.pem
> cat Intermediate-CA-1.cert.pem >> host.example.com.bundle.pem
> cat Intermediate-CA-2.cert.pem >> host.example.com.bundle.pem
> cat Root-CA.cert.pem >> host.example.com.bundle.pem
> The verification works correct, if I explicitly create a CA file with
> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
> Furthermore, I can use the same "host.example.com.bundle.pem" file
> within the PostgreSQL server, with only the Root CA known to the client
> (the original command).
> Does anyone know on how to correctly deal with intermediate CA
> certificates within pgpool-II, so that pgpool sends the intermediate
> certificates along with the server certificate?
> Many thanks in advance
> pgpool-general mailing list
> pgpool-general at pgpool.net
More information about the pgpool-general