postgresql psql:致命:连接需要有效的客户端证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18497299/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
psql: FATAL: connection requires a valid client certificate
提问by platypus
I am trying to connect to my PostgreSQL server but psql is complaining that I don't have a valid client certificate. Here is how I create my certificates:
我正在尝试连接到我的 PostgreSQL 服务器,但 psql 抱怨我没有有效的客户端证书。这是我创建证书的方法:
Self-signed server certificate:
自签名服务器证书:
openssl req -new -text -nodes -keyout server.key -out server.csr -subj '/C=US/ST=California/L=Fremont/O=Example/OU=CoreDev/CN=192.168.0.100' # CN is the server's IP address
openssl req -x509 -text -in server.csr -key server.key -out server.crt
cp server.crt root.crt
rm server.csr
chmod og-rwx server.key
Client certificate:
客户证书:
openssl req -new -nodes -keyout client.key -out client.csr -subj '/C=US/ST=California/L=Fremont/O=Example/OU=CoreDev/CN=postgres' # postgres is the database user name
openssl x509 -req -CAcreateserial -in client.csr -CA root.crt -CAkey server.key -out client.crt
rm client.csr
After copying the necessary files (client.crt, client.key, root.crt) onto the client machine and changing permission (i.e., chmod og-rwx client.key), I do the following:
将必要的文件(client.crt、client.key、root.crt)复制到客户端机器上并更改权限(即 chmod og-rwx client.key)后,我执行以下操作:
psql 'host=192.168.0.100 port=5432 dbname=postgres user=postgres sslmode=verify-full sslcert=client.crt sslkey=client.key sslrootcert=root.crt'
and then I get:
然后我得到:
psql: FATAL: connection requires a valid client certificate
Am I doing the client certificate signing process wrong?
我做的客户端证书签名过程错了吗?
Thanks,
谢谢,
#Edit
#编辑
I tried:
我试过:
openssl verify -CAfile root.crt -purpose sslclient client.crt
and I get:
我得到:
client.crt: OK
Using Wireshark, here is the capture I got for the communication between the client (192.168.0.103) and the server (192.168.0.100):
使用 Wireshark,这里是我为客户端 (192.168.0.103) 和服务器 (192.168.0.100) 之间的通信获取的捕获:
Do you know how to make sense of this?
你知道如何理解这个吗?
#Edit 2
#编辑2
Okay, I did what you said, and it seems like the server does not send the CertificateRequest message to the client.. as you can see below:
好的,我按照你说的做了,看起来服务器没有向客户端发送 CertificateRequest 消息..如下所示:
but this is weird because in pg_hba.conf, I have:
但这很奇怪,因为在 pg_hba.conf 中,我有:
hostssl all postgres 192.168.0.103/32 cert
What do you think?
你怎么认为?
#Edit3 (SOLVED!)
#Edit3(已解决!)
I changed the pg_hba.conf to contain:
我将 pg_hba.conf 更改为包含:
hostssl all postgres 192.168.0.103/32 cert clientcert=1
and changed postgresql.conf to add in the "Security and Authentication" section:
并将 postgresql.conf 更改为添加到“安全和身份验证”部分:
ssl_ca_file = 'root.crt'
AND IT WORKED! Thank you so much!
它奏效了!太感谢了!
采纳答案by Craig Ringer
In this situation I tend to pull out Wireshark and snoop the SSL negotiation to make sure the client certificate is really being offered by the client.
在这种情况下,我倾向于退出 Wireshark 并监听 SSL 协商以确保客户端证书确实由客户端提供。
I suggest using openssl to verify the client->root signing link, too.
我建议也使用 openssl 来验证 client->root 签名链接。
openssl verify -CAfile root.crt -purpose sslclient client.crt
Edit: It's necessary to specify clientcert=1even when certauthentication is chosen. Yes, that's weird.
编辑:clientcert=1即使cert选择了身份验证,也必须指定。是的,这很奇怪。
