SSL POSTGRES connection with self-signed certificate












0















I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
There is lot of information, and it's a bit complicated.
I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.





  1. Check that the connection between the two is working without SSL




    • connect myself by command line: OK !


    psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"




    • connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !



  2. Generate keys and certificates;
    I've followed a tutorial online (everything following in "" is a parameter that I've hide)



Create the server key



openssl genrsa -des3 -out server.key 1024
chmod 400 server.key
chown postgres.postgres server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'


Assume that the root certificate is the same



cp server.crt root.crt


After that, generate client side. First, the key



openssl genrsa -des3 -out /tmp/postgresql.key 1024


Then the CSR



openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'


And finally the CRT



openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial



  1. Activation of SSL on server side.
    In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside


enter image description here



In the POSTGRESQL.CONF file, modify those lines:



listen_addresses = '*'
[...]
ssl = on
[...]
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'



  1. Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
    Also changed rights on the postgresql.key file (600)



  2. Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:




    • with "Reject Unauthorized" option set to OFF: it's working


    • with "Reject Unauthorized" option set to ON: got an error






Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
in the cert's list: "




(with X.X.X.X my server IP)



So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
Is the certificates generation's ok?



Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
Thanks for your help and have a good weekend










share|improve this question



























    0















    I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
    There is lot of information, and it's a bit complicated.
    I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.





    1. Check that the connection between the two is working without SSL




      • connect myself by command line: OK !


      psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"




      • connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !



    2. Generate keys and certificates;
      I've followed a tutorial online (everything following in "" is a parameter that I've hide)



    Create the server key



    openssl genrsa -des3 -out server.key 1024
    chmod 400 server.key
    chown postgres.postgres server.key
    openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'


    Assume that the root certificate is the same



    cp server.crt root.crt


    After that, generate client side. First, the key



    openssl genrsa -des3 -out /tmp/postgresql.key 1024


    Then the CSR



    openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'


    And finally the CRT



    openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial



    1. Activation of SSL on server side.
      In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside


    enter image description here



    In the POSTGRESQL.CONF file, modify those lines:



    listen_addresses = '*'
    [...]
    ssl = on
    [...]
    ssl_cert_file = 'server.crt'
    ssl_key_file = 'server.key'
    ssl_ca_file = 'root.crt'



    1. Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
      Also changed rights on the postgresql.key file (600)



    2. Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:




      • with "Reject Unauthorized" option set to OFF: it's working


      • with "Reject Unauthorized" option set to ON: got an error






    Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
    in the cert's list: "




    (with X.X.X.X my server IP)



    So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
    Is the certificates generation's ok?



    Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
    Thanks for your help and have a good weekend










    share|improve this question

























      0












      0








      0








      I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
      There is lot of information, and it's a bit complicated.
      I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.





      1. Check that the connection between the two is working without SSL




        • connect myself by command line: OK !


        psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"




        • connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !



      2. Generate keys and certificates;
        I've followed a tutorial online (everything following in "" is a parameter that I've hide)



      Create the server key



      openssl genrsa -des3 -out server.key 1024
      chmod 400 server.key
      chown postgres.postgres server.key
      openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'


      Assume that the root certificate is the same



      cp server.crt root.crt


      After that, generate client side. First, the key



      openssl genrsa -des3 -out /tmp/postgresql.key 1024


      Then the CSR



      openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'


      And finally the CRT



      openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial



      1. Activation of SSL on server side.
        In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside


      enter image description here



      In the POSTGRESQL.CONF file, modify those lines:



      listen_addresses = '*'
      [...]
      ssl = on
      [...]
      ssl_cert_file = 'server.crt'
      ssl_key_file = 'server.key'
      ssl_ca_file = 'root.crt'



      1. Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
        Also changed rights on the postgresql.key file (600)



      2. Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:




        • with "Reject Unauthorized" option set to OFF: it's working


        • with "Reject Unauthorized" option set to ON: got an error






      Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
      in the cert's list: "




      (with X.X.X.X my server IP)



      So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
      Is the certificates generation's ok?



      Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
      Thanks for your help and have a good weekend










      share|improve this question














      I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
      There is lot of information, and it's a bit complicated.
      I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.





      1. Check that the connection between the two is working without SSL




        • connect myself by command line: OK !


        psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"




        • connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !



      2. Generate keys and certificates;
        I've followed a tutorial online (everything following in "" is a parameter that I've hide)



      Create the server key



      openssl genrsa -des3 -out server.key 1024
      chmod 400 server.key
      chown postgres.postgres server.key
      openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'


      Assume that the root certificate is the same



      cp server.crt root.crt


      After that, generate client side. First, the key



      openssl genrsa -des3 -out /tmp/postgresql.key 1024


      Then the CSR



      openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'


      And finally the CRT



      openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial



      1. Activation of SSL on server side.
        In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside


      enter image description here



      In the POSTGRESQL.CONF file, modify those lines:



      listen_addresses = '*'
      [...]
      ssl = on
      [...]
      ssl_cert_file = 'server.crt'
      ssl_key_file = 'server.key'
      ssl_ca_file = 'root.crt'



      1. Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
        Also changed rights on the postgresql.key file (600)



      2. Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:




        • with "Reject Unauthorized" option set to OFF: it's working


        • with "Reject Unauthorized" option set to ON: got an error






      Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
      in the cert's list: "




      (with X.X.X.X my server IP)



      So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
      Is the certificates generation's ok?



      Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
      Thanks for your help and have a good weekend







      postgresql ssl teamsql






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 23 '18 at 16:41









      AntoineAntoine

      1116




      1116
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53450299%2fssl-postgres-connection-with-self-signed-certificate%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53450299%2fssl-postgres-connection-with-self-signed-certificate%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Feedback on college project

          Futebolista

          Albești (Vaslui)