[pgpool-general: 3307] Re: How to deal with intermediate CA certificates
c.affolter at stepping-stone.ch
Wed Nov 26 00:44:46 JST 2014
thanks for your help. According to the documentation  "ssl_ca_cert"
and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)
certificate verification. Nevertheless, I gave it a shot without success.
On 25.11.2014 16:12, Lachezar Dobrev wrote:
> Shouldn't you be using
> ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
> Instead of the
> ssl_ca_cert_dir = '...'
> 2014-11-25 12:46 GMT+02:00 Christian Affolter <c.affolter at stepping-stone.ch>:
>> Dear pgpool users
>> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client
>> and the pgpool daemon). The SSL certificate is signed by an official
>> certificate authority.
>> The path to the SSL root CA certs is set and SSL verification is activated:
>> Whenever I try to connect to the pgpool-II server with the psql client,
>> I get a "psql: SSL error: certificate verify failed" error.
>> ca-certificates.crt contains the correct Root CA certificate.
>> The chain of trust looks as follows:
>> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
>> The SSL connection settings of pgpool.conf:
>> ssl = on
>> ssl_key = '/etc/ssl/pgpool2/host.example.com.key.pem'
>> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
>> #ssl_ca_cert = ''
>> ssl_ca_cert_dir = '/etc/ssl/certs'
>> "host.example.com.key.pem" contains the private key whereas
>> "host.example.com.bundle.pem" contains the x509 certificate and all
>> involved CA certificates. It was created in the following order:
>> cat host.example.com.cert.pem > host.example.com.bundle.pem
>> cat Intermediate-CA-1.cert.pem >> host.example.com.bundle.pem
>> cat Intermediate-CA-2.cert.pem >> host.example.com.bundle.pem
>> cat Root-CA.cert.pem >> host.example.com.bundle.pem
>> The verification works correct, if I explicitly create a CA file with
>> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
>> Furthermore, I can use the same "host.example.com.bundle.pem" file
>> within the PostgreSQL server, with only the Root CA known to the client
>> (the original command).
>> Does anyone know on how to correctly deal with intermediate CA
>> certificates within pgpool-II, so that pgpool sends the intermediate
>> certificates along with the server certificate?
>> Many thanks in advance
More information about the pgpool-general