[pgpool-general: 3307] Re: How to deal with intermediate CA certificates

Christian Affolter c.affolter at stepping-stone.ch
Wed Nov 26 00:44:46 JST 2014 

Hi

thanks for your help. According to the documentation [1] "ssl_ca_cert"
and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)
certificate verification. Nevertheless, I gave it a shot without success.

Regards
Christian


[1] http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT

On 25.11.2014 16:12, Lachezar Dobrev wrote:
>   Shouldn't you be using
>    ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
> 
>   Instead of the
>    ssl_ca_cert_dir = '...'
> 
> 
> 2014-11-25 12:46 GMT+02:00 Christian Affolter <c.affolter at stepping-stone.ch>:
>> Dear pgpool users
>>
>> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client
>> and the pgpool daemon). The SSL certificate is signed by an official
>> certificate authority.
>>
>> The path to the SSL root CA certs is set and SSL verification is activated:
>> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
>> PGSSLMODE="verify-full"
>>
>> Whenever I try to connect to the pgpool-II server with the psql client,
>> I get a "psql: SSL error: certificate verify failed" error.
>>
>> ca-certificates.crt contains the correct Root CA certificate.
>>
>>
>> The chain of trust looks as follows:
>> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
>>
>>
>> The SSL connection settings of pgpool.conf:
>>
>> ssl = on
>> ssl_key  = '/etc/ssl/pgpool2/host.example.com.key.pem'
>> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
>> #ssl_ca_cert = ''
>> ssl_ca_cert_dir = '/etc/ssl/certs'
>>
>>
>> "host.example.com.key.pem" contains the private key whereas
>> "host.example.com.bundle.pem" contains the x509 certificate and all
>> involved CA certificates. It was created in the following order:
>>
>> cat host.example.com.cert.pem   >  host.example.com.bundle.pem
>> cat Intermediate-CA-1.cert.pem  >> host.example.com.bundle.pem
>> cat Intermediate-CA-2.cert.pem  >> host.example.com.bundle.pem
>> cat Root-CA.cert.pem            >> host.example.com.bundle.pem
>>
>>
>> The verification works correct, if I explicitly create a CA file with
>> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
>>
>> Furthermore, I can use the same "host.example.com.bundle.pem" file
>> within the PostgreSQL server, with only the Root CA known to the client
>> (the original command).
>>
>>
>> Does anyone know on how to correctly deal with intermediate CA
>> certificates within pgpool-II, so that pgpool sends the intermediate
>> certificates along with the server certificate?
>>
>>
>> Many thanks in advance
>> Christian

More information about the pgpool-general mailing list