[pgpool-general: 3735] Re: How to deal with intermediate CA certificates
Christian Affolter
c.affolter at stepping-stone.ch
Wed May 20 21:19:58 JST 2015
Hi Muhammad,
I finally found the time to update to the latest 3.4.2 pgpool version
and test your fix. Everything works as expected, pgpool now correctly
handles certificate chains.
Thanks a lot and regards
Christian
On 18.03.2015 15:09, Muhammad Usama wrote:
> HI Christian.
>
> Thanks for pointing out the issue. Handling of certification chain was
> missing from pgpool-II, so it was not honoring the intermediate
> certificates. I have pushed the fix in all branches from pgpool-II V3.0
> onward.
>
> http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4
> <http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4>
>
> Thanks
> Kind regards!
> Muhammad Usama
>
>
> On Tue, Nov 25, 2014 at 8:44 PM, Christian Affolter
> <c.affolter at stepping-stone.ch <mailto:c.affolter at stepping-stone.ch>> wrote:
>
> Hi
>
> thanks for your help. According to the documentation [1] "ssl_ca_cert"
> and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)
> certificate verification. Nevertheless, I gave it a shot without
> success.
>
> Regards
> Christian
>
>
> [1] http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT
>
> On 25.11.2014 16:12, Lachezar Dobrev wrote:
> > Shouldn't you be using
> > ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
> >
> > Instead of the
> > ssl_ca_cert_dir = '...'
> >
> >
> > 2014-11-25 12:46 GMT+02:00 Christian Affolter
> <c.affolter at stepping-stone.ch <mailto:c.affolter at stepping-stone.ch>>:
> >> Dear pgpool users
> >>
> >> I'm running pgpool-II 3.4.0 with enabled SSL support (between the
> client
> >> and the pgpool daemon). The SSL certificate is signed by an official
> >> certificate authority.
> >>
> >> The path to the SSL root CA certs is set and SSL verification is
> activated:
> >> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
> >> PGSSLMODE="verify-full"
> >>
> >> Whenever I try to connect to the pgpool-II server with the psql
> client,
> >> I get a "psql: SSL error: certificate verify failed" error.
> >>
> >> ca-certificates.crt contains the correct Root CA certificate.
> >>
> >>
> >> The chain of trust looks as follows:
> >> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
> >>
> >>
> >> The SSL connection settings of pgpool.conf:
> >>
> >> ssl = on
> >> ssl_key = '/etc/ssl/pgpool2/host.example.com.key.pem'
> >> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
> >> #ssl_ca_cert = ''
> >> ssl_ca_cert_dir = '/etc/ssl/certs'
> >>
> >>
> >> "host.example.com.key.pem" contains the private key whereas
> >> "host.example.com.bundle.pem" contains the x509 certificate and all
> >> involved CA certificates. It was created in the following order:
> >>
> >> cat host.example.com.cert.pem > host.example.com.bundle.pem
> >> cat Intermediate-CA-1.cert.pem >> host.example.com.bundle.pem
> >> cat Intermediate-CA-2.cert.pem >> host.example.com.bundle.pem
> >> cat Root-CA.cert.pem >> host.example.com.bundle.pem
> >>
> >>
> >> The verification works correct, if I explicitly create a CA file with
> >> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
> >>
> >> Furthermore, I can use the same "host.example.com.bundle.pem" file
> >> within the PostgreSQL server, with only the Root CA known to the
> client
> >> (the original command).
> >>
> >>
> >> Does anyone know on how to correctly deal with intermediate CA
> >> certificates within pgpool-II, so that pgpool sends the intermediate
> >> certificates along with the server certificate?
> >>
> >>
> >> Many thanks in advance
> >> Christian
More information about the pgpool-general
mailing list