postgresql - psql: FATAL: connection requires a valid client certificate -

i trying connect postgresql server psql complaining don't have valid client certificate. here how create certificates:

self-signed server certificate:

openssl req -new -text -nodes -keyout server.key -out server.csr -subj '/c=us/st=california/l=fremont/o=example/ou=coredev/cn=192.168.0.100' # cn server's ip address openssl req -x509 -text -in server.csr -key server.key -out server.crt cp server.crt root.crt rm server.csr chmod og-rwx server.key 

client certificate:

openssl req -new -nodes -keyout client.key -out client.csr -subj '/c=us/st=california/l=fremont/o=example/ou=coredev/cn=postgres' # postgres database user name openssl x509 -req -cacreateserial -in client.csr -ca root.crt -cakey server.key -out client.crt rm client.csr 

after copying necessary files (client.crt, client.key, root.crt) onto client machine , changing permission (i.e., chmod og-rwx client.key), following:

psql 'host=192.168.0.100 port=5432 dbname=postgres user=postgres sslmode=verify-full sslcert=client.crt sslkey=client.key sslrootcert=root.crt' 

and get:

psql: fatal:  connection requires valid client certificate 

am doing client certificate signing process wrong?

thanks,

#edit

i tried:

openssl verify -cafile root.crt -purpose sslclient client.crt 

and get:

client.crt: ok 

using wireshark, here capture got communication between client (192.168.0.103) , server (192.168.0.100):

do know how make sense of this?

#edit 2

okay, did said, , seems server not send certificaterequest message client.. can see below:

but weird because in pg_hba.conf, have:

hostssl             postgres        192.168.0.103/32        cert 

what think?

#edit3 (solved!)

i changed pg_hba.conf contain:

hostssl             postgres        192.168.0.103/32        cert clientcert=1 

and changed postgresql.conf add in "security , authentication" section:

ssl_ca_file = 'root.crt' 

and worked! thank much!

in situation tend pull out wireshark , snoop ssl negotiation make sure client certificate being offered client.

i suggest using openssl verify client->root signing link, too.

openssl verify -cafile root.crt -purpose sslclient client.crt 

edit: it's necessary specify clientcert=1 when cert authentication chosen. yes, that's weird.