PostgreSQL SSL 配置

Question

I have tried a lot but did't get exact knowledge to copy which files to client side

Getting error " Valid authentication certificate required"

Below is postgres DB server directory

total 80
skipping unwanted directory
-rw-------. 1 postgres postgres  1285 Feb 13 20:16 rootCA.crt
-rw-------. 1 postgres postgres  1168 Feb 13 20:16 server.crt
-rw-------. 1 postgres postgres  1679 Feb 13 20:17 server.key

Below is postgresql.conf file content related to SSL configuration.

[postgres@munmvs2951 raj]$ cat postgresql.conf | grep ssl
ssl = on                                # (change requires restart)
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on         # (change requires restart)
#ssl_ecdh_curve = 'prime256v1'          # (change requires restart)
#ssl_renegotiation_limit = 512MB        # amount of data between renegotiations
ssl_cert_file = 'server.crt'            # (change requires restart)
ssl_key_file = 'server.key'             # (change requires restart)
ssl_ca_file = 'rootCA.crt'                      # (change requires restart)
#ssl_crl_file = ''                      # (change requires restart)

Below is the pg_hba file.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     postgres                                trust
#host    replication     postgres        127.0.0.1/32            trust
#host    replication     postgres        ::1/128                 trust
#secure client
hostssl  postgres       postgres        clientip/32               md5 clientcert=1

Below is the client side PostgreSQL user home directory from where psql will connect to server.

[postgres@clinet ~]$ ll
total 32
-rw------- 1 postgres postgres 1168 Feb 15 10:27 client.crt
-rw------- 1 postgres postgres  989 Feb 15 10:27 client.csr
-rw------- 1 postgres postgres 1285 Feb 15 11:47 rootCA.crt
-rw------- 1 postgres postgres 1675 Feb 15 11:47 rootCA.key
-rw------- 1 postgres postgres   17 Feb 15 11:47 rootCA.srl
-rw------- 1 postgres postgres 1168 Feb 15 11:47 server.crt
-rw------- 1 postgres postgres  989 Feb 15 11:47 server.csr
-rw------- 1 postgres postgres 1679 Feb 15 11:47 server.key

[postgres@client ~]$ pwd
/home/postgres

when i going to connect, getting below error.

[postgres@client ~]$ /opt/PostgresPlus/9.4AS/bin/psql -U postgres -p5443 -hserverip
psql.bin: FATAL:  connection requires a valid client certificate
FATAL:  no pg_hba.conf entry for host "10.80.x.x", user "postgres", database "postgres", SSL off

However, I can access without clientcert=1 in pg_hba file.

Ref:

[postgres@client ~]$ /opt/PostgresPlus/9.4AS/bin/psql -U postgres -p5443 -hserverip
psql.bin (9.4.1.3)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

In above successful connection, i think ssl checking only at server side not client side.

but i want to know which files should i copy to PostgreSQL home directory @client side. to check certificate as per clientcert=1

Thanks for your help.

Answer 1

See https://www.postgresql.org/docs/current/libpq-ssl.html

Below is the client side PostgreSQL user home directory from where psql will connect to server

They do not belong in the home directory, they belong in a subdirectory of the home directory named .postgresql . Or in Windows, in a directory named " %APPDATA% \\ postgresql ". And file rootCA.crt has to be named root.crt , unless you have gone out of your way to change the name/location on the client side configuration, which it doesn't seem you have done (you have changed it on the server side, but that doesn't change it on the client side). And client.crt should be named postgresql.crt and you are missing the key file for it. And the fact that you have a file named rootCA.key in the client's directory is frightening, no one but the CA should have access to that.