postgresql - psql: FATAL: connection requires a valid client certificate -

-

i trying connect postgresql server psql complaining don't have valid client certificate. here how create certificates:

self-signed server certificate:

openssl req -new -text -nodes -keyout server.key -out server.csr -subj '/c=us/st=california/l=fremont/o=example/ou=coredev/cn=192.168.0.100' # cn server's ip address openssl req -x509 -text -in server.csr -key server.key -out server.crt cp server.crt root.crt rm server.csr chmod og-rwx server.key

client certificate:

openssl req -new -nodes -keyout client.key -out client.csr -subj '/c=us/st=california/l=fremont/o=example/ou=coredev/cn=postgres' # postgres database user name openssl x509 -req -cacreateserial -in client.csr -ca root.crt -cakey server.key -out client.crt rm client.csr

after copying necessary files (client.crt, client.key, root.crt) onto client machine , changing permission (i.e., chmod og-rwx client.key), following:

psql 'host=192.168.0.100 port=5432 dbname=postgres user=postgres sslmode=verify-full sslcert=client.crt sslkey=client.key sslrootcert=root.crt'

and get:

psql: fatal:  connection requires valid client certificate

am doing client certificate signing process wrong?

thanks,

#edit

i tried:

openssl verify -cafile root.crt -purpose sslclient client.crt

and get:

client.crt: ok

using wireshark, here capture got communication between client (192.168.0.103) , server (192.168.0.100):

enter image description here

do know how make sense of this?

#edit 2

okay, did said, , seems server not send certificaterequest message client.. can see below:

enter image description here

but weird because in pg_hba.conf, have:

hostssl             postgres        192.168.0.103/32        cert

what think?

#edit3 (solved!)

i changed pg_hba.conf contain:

hostssl             postgres        192.168.0.103/32        cert clientcert=1

and changed postgresql.conf add in "security , authentication" section:

ssl_ca_file = 'root.crt'

and worked! thank much!

in situation tend pull out wireshark , snoop ssl negotiation make sure client certificate being offered client.

i suggest using openssl verify client->root signing link, too. 

openssl verify -cafile root.crt -purpose sslclient client.crt

edit: it's necessary specify clientcert=1 when cert authentication chosen. yes, that's weird.


Comments

Post a Comment

Popular posts from this blog

design - Custom Styling Qt Quick Controls -

-
Image
i have custom design qt quick controls. example, change background colour of tool bar, since hate default design. how can that? in qt quick controls, there limited styling available via qt quick control styles items, buttonstyle , checkboxstyle , etc. at moment, other styles require delving qt sources , messing internal details. here complete example of how 1 might modify toolbar's style. main.qml import qtquick 2.1 import qtquick.layouts 1.0 import qtquick.controls 1.0 applicationwindow { toolbar: toolbar { id: toolbar component.oncompleted: toolbar.data[0].item.children = [newrectangle]; property item _newrectangle: rectangle { // rectangle within toolbarstyle's panel // gleaned from: // http://qt.gitorious.org/qt/qtquickcontrols/source/ // c304d741a27b5822a35d1fb83f8f5e65719907ce:src/styles/base/toolbarstyle.qml id: newrectangle anchors.fill: parent...
Read more

Unable to remove the www from url on https using .htaccess -

-
i want remove www site url. ie. https://www.domainname.com.au https://domainname.com.au . i have tried various .htacces code nothing work me. here present code remove www http not work https. rewriteengine on rewritebase / rewritecond %{http_host} ^www\.(.*)$ [nc] rewriterule ^/(.*)$ http://%1/$1 [r=301,l] rewritecond %{https} off rewriterule ^(.*)$ https://domainname.com.au/$1 [r=301,l] rewriterule ^code-of-conducts/(.*)/$ code-of-conducts.php?type=$1 rewriterule ^parents/post-a-job/(.*)/edit/$ parents/post-a-job.php?action=edit&id=$1 rewriterule ^parents/post-a-job/(.*)/$ parents/post-a-job.php?job_type=$1 rewriterule ^parents/open-jobs/(.*)/delete/$ parents/open-jobs.php?action=delete&id=$1 rewriterule ^parent-profile/(.*)/$ parent-profile.php?id=$1 rewriterule ^parents/job-details/(.*)$ parents/job-details.php?applied_id=$1 rewriterule ^sitterprofile/(.*)/$ sitterprofile.php?id=$1 rewriterule ^sitter/job-board/state/(.*)/page/(.*)/$ sitter/job-board.ph...
Read more