Arch Linux

Carlwill

Member

From: Orlando, FL

Registered: 2008-10-06

Posts: 560

Website

Postgresql SSL Certificate Configuration

I've installed PostgreSQL on Arch Linux & also self generated self signed certificates in /etc/ssl/ directory. My PostgreSQL 'data' directory is /var/lib/postgres/data & I've edited my postgresql.conf file to use SSL however I'm having permission / access problems starting my database using SSL. It can't access the certificates and errors out when I try and start the database engine:

LOG:  autovacuum launcher shutting down
LOG:  shutting down
LOG:  database system is shut down
FATAL:  could not load server certificate file "server.crt": No such file or directory
FATAL:  private key file "server.key" has group or world access
DETAIL:  Permissions should be u=rw (0600) or less.
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not load private key file "server.key": Permission denied

My /etc/ssl permissions are as follows:

[root@ghost ssl]# ls -l
total 28
drwxr-xr-x 2 root root  4096 Apr 18 22:28 certs
drwxr-xr-x 2 root root  4096 Feb  8 13:58 misc
-rw-r--r-- 1 root root 10819 Feb  8 13:58 openssl.cnf
drwxr-xr-x 2 root root  4096 Apr 18 22:28 private
-rw-r--r-- 1 root root  1813 Apr 18 22:27 server.csr

The individual certificate permissions are as follows:

[root@ghost ssl]# ls -l certs/server.crt 
-rw-r--r-- 1 root root 2126 Apr 18 22:27 certs/server.crt
[root@ghost ssl]# ls -l private/server.key 
-rw------- 1 root root 3311 Apr 18 22:25 private/server.key

I don't know what I need to chown or chmod in order to get PostgreSQL to access my self signed certificates. If anyone could please help me out, I would greatly appreciate it.

---

./

toofishes

Developer

From: Chicago, IL

Registered: 2006-06-06

Posts: 602

Website

Re: Postgresql SSL Certificate Configuration

Postgresql runs as the 'postgres' user- I don't know if it drops permissions before it tries to load the certificate, but you may want see if temporarily setting it to be owned and accessible by that user helps.

Carlwill

Member

From: Orlando, FL

Registered: 2008-10-06

Posts: 560

Website

Re: Postgresql SSL Certificate Configuration

Yeah I may try that. In Debian there is a ssl-user group that owns the SSL data and I just 'gpasswd -a user ssl-user' for anyone. Perhaps I can transition that to Arch from Debian.

---

./

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,224

Website

Re: Postgresql SSL Certificate Configuration

FATAL:  could not load server certificate file "server.crt": No such file or directory
FATAL:  private key file "server.key" has group or world access
DETAIL:  Permissions should be u=rw (0600) or less.
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not load private key file "server.key": Permission denied

IME, postgres is hard-coded to look for server.{key,crt} in it's data directory, and it needs to be owned by the unpriv'ed user:

/srv/pgData-8.4 # ll server*
-rw------- 1 postgres postgres 1.5K Jul 13  2010 server.crt
-rw------- 1 postgres postgres  887 Jul 13  2010 server.key
-rw------- 1 postgres postgres  700 Jul 13  2010 server.req

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl