Re: SSL root.crt not loading - Mailing list pgsql-novice

Anyone???

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

On Monday 28 March 2011 10:23 AM, Marc-André Laverdière wrote:
> Hello everyone,
>
> I'm a postgres n00b and I'm trying to configure my installation to work
> with certificate authentication.
>
> It is not working for me, and it seems that the sysadmin community
> doesn't have any hints for me either :(
>
> I am reposting my question on ServerFault in hopes that a psql guru will
> read it (see
> http://serverfault.com/questions/248522/postgresql-ssl-root-crt-not-loading)
>
> I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am
> using OpenSSL 0.9.8o.
>
> I have generated keys and certificates using TinyCA2 for both a pg
> server and the psql client. I essentially followed the instructions.
>
> My pg_hba.conf file is configured with this:
> hostssl all    abc      ::1/128          cert        clientcert=1
>
> I have put the root certificate generated by TinyCA along with the
> server's certificate and key in the DATA directory as follows.
>
> sudo unzip database_server.zip
> sudo mv sudo mv cacert.pem root.crt
> sudo mv cert.pem server.crt
> sudo openssl rsa -in key.pem -out server.key
> sudo chmod 0600 server.key
> sudo chmod ga=r root.crt
> sudo chown postgres:postgres root.crt server.key server.crt
>
> Yet I am unable to start the server. This is what I get on startup:
>
> $ sudo /etc/init.d/postgresql start 9.0
> * Starting PostgreSQL 9.0 database server
> * The PostgreSQL server failed to start. Please check the log output:
>   2011-03-17 16:39:13 IST LOG:  client certificates can only be checked
> if a root certificate store is available
>   2011-03-17 16:39:13 IST HINT:  Make sure the root.crt file is present
> and readable.
>   2011-03-17 16:39:13 IST CONTEXT:  line 93 of configuration file
> "/etc/postgresql/9.0/main/pg_hba.conf"
>   2011-03-17 16:39:13 IST FATAL:  could not load pg_hba.conf
>
> Interestingly, the root.crt file is very much present and readable:
>
> $ ll
> <snip>
> -rw-r--r-- 1 postgres postgres  143 2010-12-01 17:06 pg_ctl.conf
> -rw-r----- 1 postgres postgres 4.3K 2011-03-17 16:35 pg_hba.conf
> -rw-r----- 1 postgres postgres 1.7K 2011-03-17 15:58 pg_ident.conf
> -rw-r--r-- 1 postgres postgres  18K 2011-02-07 18:38 postgresql.conf
> -rw-r--r-- 1 postgres postgres 2.8K 2011-03-17 16:39 root.crt
> -rw------- 1 postgres postgres 2.2K 2011-03-17 14:37 server.crt
> -rw------- 1 postgres postgres  891 2011-03-17 16:18 server.key
> -rw------- 1 postgres postgres 963 2011-03-17 14:37 server.key.encrypted
>
> What is going on? What do I have to do for this certificate to load???
>