On Wed, Oct 08, 2008, Andrej Podzimek wrote: > Hello, > > both psql and pgAdmin refuse to connect to my PostgreSQL server using SSL. > These two error messages alternate: > > SSL error: sslv3 alert certificate expired > SSL error: certificate verify failed > > CA certificate is valid till 2011. > Server certificate is valid till 2009. > Client certificate is valid till 2009. > > So the first error message is obviously a nonsense. > > I asked on the pgAdmin and PostgreSQL mailing lists. The answer was just > about the same in both cases: This must be an OpenSSL issue. > > In fact, the whole story is a bit more complicated: > > 1) I enabled OpenSSL for psql and pgAdmin in June 2008. It worked. > 2) It stopped working (for the first time) at the end of August, with the > certificate expired message. > 3) Adding the CA certificate and CRL on the *client* side fixed this, > amazingly. > 4) Then it worked for about one month, till the beginning of October. > 5) Stopped working again about two days ago, this time with two error > messages. > > Certificate and key files are still in place and computer clocks show > correct time. > > I have the 0.9.8i version installed. Should I try the h version again? (I > am not sure whether the upgrade from h to i is related to the malfunction > or not.) > > Other programs, such as Courier-MTA, work just fine. > > Is it possible to get more log messages? There is something wrong with the > OpenSSL + PostgreSQL combination. There are two scenarios corresponding to > the error messages mentioned above. > 1) Server says the certificate has expired. Client says certificate > verification failed. > 2) Server says the client did not supply a certificate. Client says the > certificate has expired. > > Nobody says *which* certificate expired. (AFAIK, all of them are valid. > Checked that twice.) > > What could be wrong? Thank you in advance for any piece of advice. >
Are any intermediate CA certificates involved? This command will dump all certificates received: openssl s_client -connect hostname:portnum -showcerts If you split them into files and try: openssl x509 -in cert.pem -dates -noout It will print their dates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
