[pgpool-general: 3737] Re: How to deal with intermediate CA certificates
Muhammad Usama
m.usama at gmail.com
Wed May 20 22:30:10 JST 2015
Hi Christian
Glad to hear the problem is solved.
Thanks and regards
Muhammad Usama
Sent from my iPhone
> On 20-May-2015, at 3:19 pm, Christian Affolter <c.affolter at stepping-stone.ch> wrote:
>
> Hi Muhammad,
>
> I finally found the time to update to the latest 3.4.2 pgpool version
> and test your fix. Everything works as expected, pgpool now correctly
> handles certificate chains.
>
>
> Thanks a lot and regards
> Christian
>
>> On 18.03.2015 15:09, Muhammad Usama wrote:
>> HI Christian.
>>
>> Thanks for pointing out the issue. Handling of certification chain was
>> missing from pgpool-II, so it was not honoring the intermediate
>> certificates. I have pushed the fix in all branches from pgpool-II V3.0
>> onward.
>>
>> http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4
>> <http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4>
>>
>> Thanks
>> Kind regards!
>> Muhammad Usama
>>
>>
>> On Tue, Nov 25, 2014 at 8:44 PM, Christian Affolter
>> <c.affolter at stepping-stone.ch <mailto:c.affolter at stepping-stone.ch>> wrote:
>>
>> Hi
>>
>> thanks for your help. According to the documentation [1] "ssl_ca_cert"
>> and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)
>> certificate verification. Nevertheless, I gave it a shot without
>> success.
>>
>> Regards
>> Christian
>>
>>
>> [1] http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT
>>
>>> On 25.11.2014 16:12, Lachezar Dobrev wrote:
>>> Shouldn't you be using
>>> ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
>>>
>>> Instead of the
>>> ssl_ca_cert_dir = '...'
>>>
>>>
>>> 2014-11-25 12:46 GMT+02:00 Christian Affolter
>> <c.affolter at stepping-stone.ch <mailto:c.affolter at stepping-stone.ch>>:
>>>> Dear pgpool users
>>>>
>>>> I'm running pgpool-II 3.4.0 with enabled SSL support (between the
>> client
>>>> and the pgpool daemon). The SSL certificate is signed by an official
>>>> certificate authority.
>>>>
>>>> The path to the SSL root CA certs is set and SSL verification is
>> activated:
>>>> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
>>>> PGSSLMODE="verify-full"
>>>>
>>>> Whenever I try to connect to the pgpool-II server with the psql
>> client,
>>>> I get a "psql: SSL error: certificate verify failed" error.
>>>>
>>>> ca-certificates.crt contains the correct Root CA certificate.
>>>>
>>>>
>>>> The chain of trust looks as follows:
>>>> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
>>>>
>>>>
>>>> The SSL connection settings of pgpool.conf:
>>>>
>>>> ssl = on
>>>> ssl_key = '/etc/ssl/pgpool2/host.example.com.key.pem'
>>>> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
>>>> #ssl_ca_cert = ''
>>>> ssl_ca_cert_dir = '/etc/ssl/certs'
>>>>
>>>>
>>>> "host.example.com.key.pem" contains the private key whereas
>>>> "host.example.com.bundle.pem" contains the x509 certificate and all
>>>> involved CA certificates. It was created in the following order:
>>>>
>>>> cat host.example.com.cert.pem > host.example.com.bundle.pem
>>>> cat Intermediate-CA-1.cert.pem >> host.example.com.bundle.pem
>>>> cat Intermediate-CA-2.cert.pem >> host.example.com.bundle.pem
>>>> cat Root-CA.cert.pem >> host.example.com.bundle.pem
>>>>
>>>>
>>>> The verification works correct, if I explicitly create a CA file with
>>>> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
>>>>
>>>> Furthermore, I can use the same "host.example.com.bundle.pem" file
>>>> within the PostgreSQL server, with only the Root CA known to the
>> client
>>>> (the original command).
>>>>
>>>>
>>>> Does anyone know on how to correctly deal with intermediate CA
>>>> certificates within pgpool-II, so that pgpool sends the intermediate
>>>> certificates along with the server certificate?
>>>>
>>>>
>>>> Many thanks in advance
>>>> Christian
>
More information about the pgpool-general
mailing list