psql:致命:连接需要有效的客户端证书
[英]psql: FATAL: connection requires a valid client certificate
问题描述
I am trying to connect to my PostgreSQL server but psql is complaining that I don't have a valid client certificate.
我正在尝试连接到我的 PostgreSQL 服务器,但 psql 抱怨我没有有效的客户端证书。 Here is how I create my certificates:以下是我创建证书的方式:
Self-signed server certificate:自签名服务器证书:
openssl req -new -text -nodes -keyout server.key -out server.csr -subj '/C=US/ST=California/L=Fremont/O=Example/OU=CoreDev/CN=192.168.0.100' # CN is the server's IP address
openssl req -x509 -text -in server.csr -key server.key -out server.crt
cp server.crt root.crt
rm server.csr
chmod og-rwx server.key
Client certificate:客户证书:
openssl req -new -nodes -keyout client.key -out client.csr -subj '/C=US/ST=California/L=Fremont/O=Example/OU=CoreDev/CN=postgres' # postgres is the database user name
openssl x509 -req -CAcreateserial -in client.csr -CA root.crt -CAkey server.key -out client.crt
rm client.csr
After copying the necessary files (client.crt, client.key, root.crt) onto the client machine and changing permission (ie, chmod og-rwx client.key), I do the following:将必要的文件(client.crt、client.key、root.crt)复制到客户端计算机并更改权限(即 chmod og-rwx client.key)后,我执行以下操作:
psql 'host=192.168.0.100 port=5432 dbname=postgres user=postgres sslmode=verify-full sslcert=client.crt sslkey=client.key sslrootcert=root.crt'
and then I get:然后我得到:
psql: FATAL: connection requires a valid client certificate
Am I doing the client certificate signing process wrong?我做错了客户端证书签名过程吗?
I tried:我试过:
openssl verify -CAfile root.crt -purpose sslclient client.crt
and I get:我得到:
client.crt: OK
Using Wireshark, here is the capture I got for the communication between the client (192.168.0.103) and the server (192.168.0.100):使用 Wireshark,这是我为客户端 (192.168.0.103) 和服务器 (192.168.0.100) 之间的通信获取的捕获:
Why does this happen?为什么会这样?
It seems like the server does not send the CertificateRequest message to the client.. as you can see below:似乎服务器没有向客户端发送 CertificateRequest 消息。如下所示:
but this is weird because in pg_hba.conf, I have:但这很奇怪,因为在 pg_hba.conf 中,我有:
hostssl all postgres 192.168.0.103/32 cert
2 个解决方案
解决方案1
8 已采纳 2013-08-28 23:50:45
In this situation I tend to pull out Wireshark and snoop the SSL negotiation to make sure the client certificate is really being offered by the client. 在这种情况下,我倾向于拔出Wireshark并窥探SSL协商,以确保客户端证书真正由客户端提供。
I suggest using openssl to verify the client->root signing link, too. 我建议使用openssl来验证客户端 - > root签名链接。
openssl verify -CAfile root.crt -purpose sslclient client.crt
Edit : It's necessary to specify clientcert=1 even when cert authentication is chosen. 编辑 :即使选择了cert身份验证,也必须指定clientcert=1 。 Yes, that's weird. 是的,这很奇怪。
解决方案2
1 2021-08-05 21:56:04
Just adding another answer here for someone else.只是在这里为其他人添加另一个答案。 I was getting this same error when connecting from a jdbc using the org.postgresql.driver.使用 org.postgresql.driver 从 jdbc 连接时,我遇到了同样的错误。 The issue is that the format for the key I was passing for the sslkey parameter was a pem format.问题是我为 sslkey 参数传递的密钥格式是 pem 格式。 This link explains it.这个链接解释了它。
https://jdbc.postgresql.org/documentation/head/connect.html#:~:text=keyfile.-,sslkey,-%3D%20String https://jdbc.postgresql.org/documentation/head/connect.html#:~:text=keyfile.-,sslkey,-%3D%20String
Note: The key file must be in PKCS-12 or in PKCS-8 DER format. A PEM key can be converted to DER format using the openssl command:
openssl pkcs8 -topk8 -inform PEM -in postgresql.key -outform DER -out postgresql.pk8 -v1 PBE-MD5-DES
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.