[pgpool-general: 3551] Re: How to deal with intermediate CA certificates
Muhammad Usama
m.usama at gmail.com
Wed Mar 18 23:09:14 JST 2015
HI Christian.
Thanks for pointing out the issue. Handling of certification chain was
missing from pgpool-II, so it was not honoring the intermediate
certificates. I have pushed the fix in all branches from pgpool-II V3.0
onward.
http://git.postgresql.org/gitweb
/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4
Thanks
Kind regards!
Muhammad Usama
On Tue, Nov 25, 2014 at 8:44 PM, Christian Affolter <
c.affolter at stepping-stone.ch> wrote:
> Hi
>
> thanks for your help. According to the documentation [1] "ssl_ca_cert"
> and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)
> certificate verification. Nevertheless, I gave it a shot without success.
>
> Regards
> Christian
>
>
> [1] http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT
>
> On 25.11.2014 16:12, Lachezar Dobrev wrote:
> > Shouldn't you be using
> > ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
> >
> > Instead of the
> > ssl_ca_cert_dir = '...'
> >
> >
> > 2014-11-25 12:46 GMT+02:00 Christian Affolter <
> c.affolter at stepping-stone.ch>:
> >> Dear pgpool users
> >>
> >> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client
> >> and the pgpool daemon). The SSL certificate is signed by an official
> >> certificate authority.
> >>
> >> The path to the SSL root CA certs is set and SSL verification is
> activated:
> >> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
> >> PGSSLMODE="verify-full"
> >>
> >> Whenever I try to connect to the pgpool-II server with the psql client,
> >> I get a "psql: SSL error: certificate verify failed" error.
> >>
> >> ca-certificates.crt contains the correct Root CA certificate.
> >>
> >>
> >> The chain of trust looks as follows:
> >> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
> >>
> >>
> >> The SSL connection settings of pgpool.conf:
> >>
> >> ssl = on
> >> ssl_key = '/etc/ssl/pgpool2/host.example.com.key.pem'
> >> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
> >> #ssl_ca_cert = ''
> >> ssl_ca_cert_dir = '/etc/ssl/certs'
> >>
> >>
> >> "host.example.com.key.pem" contains the private key whereas
> >> "host.example.com.bundle.pem" contains the x509 certificate and all
> >> involved CA certificates. It was created in the following order:
> >>
> >> cat host.example.com.cert.pem > host.example.com.bundle.pem
> >> cat Intermediate-CA-1.cert.pem >> host.example.com.bundle.pem
> >> cat Intermediate-CA-2.cert.pem >> host.example.com.bundle.pem
> >> cat Root-CA.cert.pem >> host.example.com.bundle.pem
> >>
> >>
> >> The verification works correct, if I explicitly create a CA file with
> >> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
> >>
> >> Furthermore, I can use the same "host.example.com.bundle.pem" file
> >> within the PostgreSQL server, with only the Root CA known to the client
> >> (the original command).
> >>
> >>
> >> Does anyone know on how to correctly deal with intermediate CA
> >> certificates within pgpool-II, so that pgpool sends the intermediate
> >> certificates along with the server certificate?
> >>
> >>
> >> Many thanks in advance
> >> Christian
>
> _______________________________________________
> pgpool-general mailing list
> pgpool-general at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-general/attachments/20150318/014cb778/attachment.html>
More information about the pgpool-general
mailing list