<div dir="ltr">HI <span style="font-size:12.8000001907349px">Christian.</span><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Thanks for pointing out the issue. Handling of certification chain was missing from <span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1"></span><span class="" id=":2bc.1" tabindex="-1">pgpool</span>-II, so it was not honoring the intermediate certificates. </span><span style="font-size:12.8000001907349px">I have pushed the fix</span><span style="font-size:12.8000001907349px"> in all branches from pgpool-II V3.0 onward.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><a href="http://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4">http://git.<span class="" id=":2bc.3" tabindex="-1">postgresql</span>.org/<span class="" id=":2bc.4" tabindex="-1">gitweb</span>/?p=pgpool2.git;a=commit;h=85e7862ddc6ee16ed98d29a6ac560c03bcd94fb4</a></span><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Thanks</span></div><div><span style="font-size:12.8000001907349px">Kind regards!</span></div><div><span style="font-size:12.8000001907349px">Muhammad <span class="" id=":2bc.5" tabindex="-1">Usama</span></span></div><div><span style="font-size:12.8000001907349px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 25, 2014 at 8:44 PM, Christian Affolter <span dir="ltr"><<a href="mailto:c.affolter@stepping-stone.ch" target="_blank">c.affolter@stepping-stone.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>
<br>
thanks for your help. According to the documentation [1] "ssl_ca_cert"<br>
and "ssl_ca_cert_dir" are used for backend server (PostgreSQL)<br>
certificate verification. Nevertheless, I gave it a shot without success.<br>
<br>
Regards<br>
Christian<br>
<br>
<br>
[1] <a href="http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT" target="_blank">http://www.pgpool.net/docs/latest/pgpool-en.html#SSL_CA_CERT</a><br>
<div class="HOEnZb"><div class="h5"><br>
On 25.11.2014 16:12, Lachezar Dobrev wrote:<br>
> Shouldn't you be using<br>
> ssl_ca_cert = '/etc/ssl/pgpoop2/ALL-CAs.pem'<br>
><br>
> Instead of the<br>
> ssl_ca_cert_dir = '...'<br>
><br>
><br>
> 2014-11-25 12:46 GMT+02:00 Christian Affolter <<a href="mailto:c.affolter@stepping-stone.ch">c.affolter@stepping-stone.ch</a>>:<br>
>> Dear pgpool users<br>
>><br>
>> I'm running pgpool-II 3.4.0 with enabled SSL support (between the client<br>
>> and the pgpool daemon). The SSL certificate is signed by an official<br>
>> certificate authority.<br>
>><br>
>> The path to the SSL root CA certs is set and SSL verification is activated:<br>
>> PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"<br>
>> PGSSLMODE="verify-full"<br>
>><br>
>> Whenever I try to connect to the pgpool-II server with the psql client,<br>
>> I get a "psql: SSL error: certificate verify failed" error.<br>
>><br>
>> ca-certificates.crt contains the correct Root CA certificate.<br>
>><br>
>><br>
>> The chain of trust looks as follows:<br>
>> Certificate -> Intermediate CA 1 -> Intermediate CA 2 -> Root CA<br>
>><br>
>><br>
>> The SSL connection settings of pgpool.conf:<br>
>><br>
>> ssl = on<br>
>> ssl_key = '/etc/ssl/pgpool2/host.example.com.key.pem'<br>
>> ssl_cert = '/etc/ssl/pgpool2/host.example.com.bundle.pem'<br>
>> #ssl_ca_cert = ''<br>
>> ssl_ca_cert_dir = '/etc/ssl/certs'<br>
>><br>
>><br>
>> "host.example.com.key.pem" contains the private key whereas<br>
>> "host.example.com.bundle.pem" contains the x509 certificate and all<br>
>> involved CA certificates. It was created in the following order:<br>
>><br>
>> cat host.example.com.cert.pem > host.example.com.bundle.pem<br>
>> cat Intermediate-CA-1.cert.pem >> host.example.com.bundle.pem<br>
>> cat Intermediate-CA-2.cert.pem >> host.example.com.bundle.pem<br>
>> cat Root-CA.cert.pem >> host.example.com.bundle.pem<br>
>><br>
>><br>
>> The verification works correct, if I explicitly create a CA file with<br>
>> all CAs involved: PGSSLROOTCERT=/etc/ssl/pgpool2/All-CAs.pem psql ...<br>
>><br>
>> Furthermore, I can use the same "host.example.com.bundle.pem" file<br>
>> within the PostgreSQL server, with only the Root CA known to the client<br>
>> (the original command).<br>
>><br>
>><br>
>> Does anyone know on how to correctly deal with intermediate CA<br>
>> certificates within pgpool-II, so that pgpool sends the intermediate<br>
>> certificates along with the server certificate?<br>
>><br>
>><br>
>> Many thanks in advance<br>
>> Christian<br>
<br>
_______________________________________________<br>
pgpool-general mailing list<br>
<a href="mailto:pgpool-general@pgpool.net">pgpool-general@pgpool.net</a><br>
<a href="http://www.pgpool.net/mailman/listinfo/pgpool-general" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-general</a><br>
</div></div></blockquote></div><br></div>