On Fri, Apr 8, 2011 at 1:42 PM, Carlos Mennens <carlos.menn...@gmail.com>wrote:
> I had self signed SSL certificates on my database server but since > then removed them and received updated certificates from the security > team. I removed (backedup) the old server.crt & server.key and now > have db1_ssl.crt & db1_ssl.key in the identical location as the old > SSL certificates. I then went to /etc/postgres/8.4/main and removed > the old symbolic links for the old certificates and generated new > symbolic links: > > ln -s /etc/ssl/certs/db1_ssl.crt db1_ssl.crt > ln -s /etc/ssl/private/db1_ssl.key db1_ssl.key > > I then restarted PostgreSQL and got the following error: > > 2011-04-08 09:54:34 EDT FATAL: could not load server certificate file > "server.crt": No such file or directory > 2011-04-08 10:00:43 EDT FATAL: could not load server certificate file > "server.crt": No such file or directory > > I looked for anywhere else in /var/lib/postgres/ & /etc/postgres/ but > can't find anything else that's calling the old certificates. I > changed the ownership on the certificates and symbolic links to either > root or postgres and nothing worked. It fails to start with the > following error: > > > root@db1:/# /etc/init.d/postgresql start > Starting PostgreSQL 8.4 database server: mainThe PostgreSQL server > failed to start. Please check the log output: 2011-04-08 12:36:54 EDT > FATAL: could not load server certificate file "server.crt": No such > file or directory ... failed! > > I checked the documentation page: > > http://www.postgresql.org/docs/8.4/static/libpq-ssl.html > > Table 30-4. Libpq/Client SSL File Usage > > File Contents Effect > ~/.postgresql/postgresql.crt client certificate requested by server > ~/.postgresql/postgresql.key client private key proves client > certificate sent by owner; does not indicate certificate owner is > trustworthy > ~/.postgresql/root.crt trusted certificate authorities checks server > certificate is signed by a trusted certificate authority > ~/.postgresql/root.crl certificates revoked by certificate > authorities server certificate must not be on this list > > Can anyone tell me what I'm doing wrong or missing here? I can't > disable SSL per DoD requirements sadly. > > -Carlos > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > Hi, When linking to the certificate and key you should specify the full path. ln -s /etc/ssl/certs/db1_ssl.crt /full/path/to/db1_ssl.crt ln -s /etc/ssl/private/db1_ssl.key /full/path/to/db1_ssl.key HTH, diego