You are not logged in.

#1 2011-04-19 14:40:21

From: Orlando, FL
Registered: 2008-10-06
Posts: 560

Postgresql SSL Certificate Configuration

I've installed PostgreSQL on Arch Linux & also self generated self signed certificates in /etc/ssl/ directory. My PostgreSQL 'data' directory is /var/lib/postgres/data & I've edited my postgresql.conf file to use SSL however I'm having permission / access problems starting my database using SSL. It can't access the certificates and errors out when I try and start the database engine:

LOG:  autovacuum launcher shutting down
LOG:  shutting down
LOG:  database system is shut down
FATAL:  could not load server certificate file "server.crt": No such file or directory
FATAL:  private key file "server.key" has group or world access
DETAIL:  Permissions should be u=rw (0600) or less.
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not load private key file "server.key": Permission denied

My /etc/ssl permissions are as follows:

[root@ghost ssl]# ls -l
total 28
drwxr-xr-x 2 root root  4096 Apr 18 22:28 certs
drwxr-xr-x 2 root root  4096 Feb  8 13:58 misc
-rw-r--r-- 1 root root 10819 Feb  8 13:58 openssl.cnf
drwxr-xr-x 2 root root  4096 Apr 18 22:28 private
-rw-r--r-- 1 root root  1813 Apr 18 22:27 server.csr

The individual certificate permissions are as follows:

[root@ghost ssl]# ls -l certs/server.crt 
-rw-r--r-- 1 root root 2126 Apr 18 22:27 certs/server.crt
[root@ghost ssl]# ls -l private/server.key 
-rw------- 1 root root 3311 Apr 18 22:25 private/server.key

I don't know what I need to chown or chmod in order to get PostgreSQL to access my self signed certificates. If anyone could please help me out, I would greatly appreciate it.



#2 2011-04-19 15:08:00

From: Chicago, IL
Registered: 2006-06-06
Posts: 602

Re: Postgresql SSL Certificate Configuration

Postgresql runs as the 'postgres' user- I don't know if it drops permissions before it tries to load the certificate, but you may want see if temporarily setting it to be owned and accessible by that user helps.


#3 2011-04-19 15:13:23

From: Orlando, FL
Registered: 2008-10-06
Posts: 560

Re: Postgresql SSL Certificate Configuration

Yeah I may try that. In Debian there is a ssl-user group that owns the SSL data and I just 'gpasswd -a user ssl-user' for anyone. Perhaps I can transition that to Arch from Debian.



#4 2011-04-19 23:12:09

Registered: 2007-09-28
Posts: 6,226

Re: Postgresql SSL Certificate Configuration

FATAL:  could not load server certificate file "server.crt": No such file or directory
FATAL:  private key file "server.key" has group or world access
DETAIL:  Permissions should be u=rw (0600) or less.
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not access private key file "server.key": Permission denied
FATAL:  could not load private key file "server.key": Permission denied

IME, postgres is hard-coded to look for server.{key,crt} in it's data directory, and it needs to be owned by the unpriv'ed user:

/srv/pgData-8.4 # ll server*
-rw------- 1 postgres postgres 1.5K Jul 13  2010 server.crt
-rw------- 1 postgres postgres  887 Jul 13  2010 server.key
-rw------- 1 postgres postgres  700 Jul 13  2010 server.req


Board footer

Powered by FluxBB