[pgpool-general: 3737] Re: How to deal with intermediate CA certificates

Muhammad Usama m.usama at gmail.com
Wed May 20 22:30:10 JST 2015


Hi Christian

Glad to hear the problem is solved.

Thanks and regards
Muhammad Usama
Sent from my iPhone

> On 20-May-2015, at 3:19 pm, Christian Affolter <c.affolter at stepping-stone.ch> wrote:
> 
> Hi Muhammad,
> 
> I finally found the time to update to the latest 3.4.2 pgpool version
> and test your fix. Everything works as expected, pgpool now correctly
> handles certificate chains.
> 
> 
> Thanks a lot and regards
> Christian
> 
>> On 18.03.2015 15:09, Muhammad Usama wrote:
>> HI Christian.
>> 
>> Thanks for pointing out the issue. Handling of certification chain was
>> missing from pgpool-II, so it was not honoring the intermediate
>> certificates. I have pushed the fix in all branches from pgpool-II V3.0
>> onward.
>> 
>> http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4
>> <http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4>
>> 
>> Thanks
>> Kind regards!
>> Muhammad Usama
>> 
>> 
>> On Tue, Nov 25, 2014 at 8:44 PM, Christian Affolter
>> <c.affolter at stepping-stone.ch <mailto:c.affolter at stepping-stone.ch>> wrote:
>> 
>>    Hi
>> 
>>    thanks for your help. According to the documentation [1] "ssl_ca_cert"
>>    and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)
>>    certificate verification. Nevertheless, I gave it a shot without
>>    success.
>> 
>>    Regards
>>    Christian
>> 
>> 
>>    [1] http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT
>> 
>>>    On 25.11.2014 16:12, Lachezar Dobrev wrote:
>>>  Shouldn't you be using
>>>   ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'
>>> 
>>>  Instead of the
>>>   ssl_ca_cert_dir = '...'
>>> 
>>> 
>>> 2014-11-25 12:46 GMT+02:00 Christian Affolter
>>    <c.affolter at stepping-stone.ch <mailto:c.affolter at stepping-stone.ch>>:
>>>> Dear pgpool users
>>>> 
>>>> I'm running pgpool-II 3.4.0 with enabled SSL support (between the
>>    client
>>>> and the pgpool daemon). The SSL certificate is signed by an official
>>>> certificate authority.
>>>> 
>>>> The path to the SSL root CA certs is set and SSL verification is
>>    activated:
>>>> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
>>>> PGSSLMODE="verify-full"
>>>> 
>>>> Whenever I try to connect to the pgpool-II server with the psql
>>    client,
>>>> I get a "psql: SSL error: certificate verify failed" error.
>>>> 
>>>> ca-certificates.crt contains the correct Root CA certificate.
>>>> 
>>>> 
>>>> The chain of trust looks as follows:
>>>> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA
>>>> 
>>>> 
>>>> The SSL connection settings of pgpool.conf:
>>>> 
>>>> ssl = on
>>>> ssl_key  = '/etc/ssl/pgpool2/host.example.com.key.pem'
>>>> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'
>>>> #ssl_ca_cert = ''
>>>> ssl_ca_cert_dir = '/etc/ssl/certs'
>>>> 
>>>> 
>>>> "host.example.com.key.pem" contains the private key whereas
>>>> "host.example.com.bundle.pem" contains the x509 certificate and all
>>>> involved CA certificates. It was created in the following order:
>>>> 
>>>> cat host.example.com.cert.pem   >  host.example.com.bundle.pem
>>>> cat Intermediate-CA-1.cert.pem  >> host.example.com.bundle.pem
>>>> cat Intermediate-CA-2.cert.pem  >> host.example.com.bundle.pem
>>>> cat Root-CA.cert.pem            >> host.example.com.bundle.pem
>>>> 
>>>> 
>>>> The verification works correct, if I explicitly create a CA file with
>>>> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...
>>>> 
>>>> Furthermore, I can use the same "host.example.com.bundle.pem" file
>>>> within the PostgreSQL server, with only the Root CA known to the
>>    client
>>>> (the original command).
>>>> 
>>>> 
>>>> Does anyone know on how to correctly deal with intermediate CA
>>>> certificates within pgpool-II, so that pgpool sends the intermediate
>>>> certificates along with the server certificate?
>>>> 
>>>> 
>>>> Many thanks in advance
>>>> Christian
> 


More information about the pgpool-general mailing list