You are not logged in.
I've installed PostgreSQL on Arch Linux & also self generated self signed certificates in /etc/ssl/ directory. My PostgreSQL 'data' directory is /var/lib/postgres/data & I've edited my postgresql.conf file to use SSL however I'm having permission / access problems starting my database using SSL. It can't access the certificates and errors out when I try and start the database engine:
LOG: autovacuum launcher shutting down
LOG: shutting down
LOG: database system is shut down
FATAL: could not load server certificate file "server.crt": No such file or directory
FATAL: private key file "server.key" has group or world access
DETAIL: Permissions should be u=rw (0600) or less.
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not load private key file "server.key": Permission denied
My /etc/ssl permissions are as follows:
[root@ghost ssl]# ls -l
total 28
drwxr-xr-x 2 root root 4096 Apr 18 22:28 certs
drwxr-xr-x 2 root root 4096 Feb 8 13:58 misc
-rw-r--r-- 1 root root 10819 Feb 8 13:58 openssl.cnf
drwxr-xr-x 2 root root 4096 Apr 18 22:28 private
-rw-r--r-- 1 root root 1813 Apr 18 22:27 server.csr
The individual certificate permissions are as follows:
[root@ghost ssl]# ls -l certs/server.crt
-rw-r--r-- 1 root root 2126 Apr 18 22:27 certs/server.crt
[root@ghost ssl]# ls -l private/server.key
-rw------- 1 root root 3311 Apr 18 22:25 private/server.key
I don't know what I need to chown or chmod in order to get PostgreSQL to access my self signed certificates. If anyone could please help me out, I would greatly appreciate it.
./
Offline
Postgresql runs as the 'postgres' user- I don't know if it drops permissions before it tries to load the certificate, but you may want see if temporarily setting it to be owned and accessible by that user helps.
Offline
Yeah I may try that. In Debian there is a ssl-user group that owns the SSL data and I just 'gpasswd -a user ssl-user' for anyone. Perhaps I can transition that to Arch from Debian.
./
Offline
FATAL: could not load server certificate file "server.crt": No such file or directory
FATAL: private key file "server.key" has group or world access
DETAIL: Permissions should be u=rw (0600) or less.
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not load private key file "server.key": Permission denied
IME, postgres is hard-coded to look for server.{key,crt} in it's data directory, and it needs to be owned by the unpriv'ed user:
/srv/pgData-8.4 # ll server*
-rw------- 1 postgres postgres 1.5K Jul 13 2010 server.crt
-rw------- 1 postgres postgres 887 Jul 13 2010 server.key
-rw------- 1 postgres postgres 700 Jul 13 2010 server.req
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline