SSL POSTGRES connection with self-signed certificate
I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
There is lot of information, and it's a bit complicated.
I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.
Check that the connection between the two is working without SSL
- connect myself by command line: OK !
psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"
- connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !
Generate keys and certificates;
I've followed a tutorial online (everything following in "" is a parameter that I've hide)
Create the server key
openssl genrsa -des3 -out server.key 1024
chmod 400 server.key
chown postgres.postgres server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'
Assume that the root certificate is the same
cp server.crt root.crt
After that, generate client side. First, the key
openssl genrsa -des3 -out /tmp/postgresql.key 1024
Then the CSR
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'
And finally the CRT
openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
- Activation of SSL on server side.
In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside

In the POSTGRESQL.CONF file, modify those lines:
listen_addresses = '*'
[...]
ssl = on
[...]
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
Also changed rights on the postgresql.key file (600)
Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:
with "Reject Unauthorized" option set to OFF: it's working
with "Reject Unauthorized" option set to ON: got an error
Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
in the cert's list: "
(with X.X.X.X my server IP)
So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
Is the certificates generation's ok?
Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
Thanks for your help and have a good weekend
postgresql ssl teamsql
add a comment |
I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
There is lot of information, and it's a bit complicated.
I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.
Check that the connection between the two is working without SSL
- connect myself by command line: OK !
psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"
- connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !
Generate keys and certificates;
I've followed a tutorial online (everything following in "" is a parameter that I've hide)
Create the server key
openssl genrsa -des3 -out server.key 1024
chmod 400 server.key
chown postgres.postgres server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'
Assume that the root certificate is the same
cp server.crt root.crt
After that, generate client side. First, the key
openssl genrsa -des3 -out /tmp/postgresql.key 1024
Then the CSR
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'
And finally the CRT
openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
- Activation of SSL on server side.
In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside

In the POSTGRESQL.CONF file, modify those lines:
listen_addresses = '*'
[...]
ssl = on
[...]
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
Also changed rights on the postgresql.key file (600)
Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:
with "Reject Unauthorized" option set to OFF: it's working
with "Reject Unauthorized" option set to ON: got an error
Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
in the cert's list: "
(with X.X.X.X my server IP)
So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
Is the certificates generation's ok?
Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
Thanks for your help and have a good weekend
postgresql ssl teamsql
add a comment |
I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
There is lot of information, and it's a bit complicated.
I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.
Check that the connection between the two is working without SSL
- connect myself by command line: OK !
psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"
- connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !
Generate keys and certificates;
I've followed a tutorial online (everything following in "" is a parameter that I've hide)
Create the server key
openssl genrsa -des3 -out server.key 1024
chmod 400 server.key
chown postgres.postgres server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'
Assume that the root certificate is the same
cp server.crt root.crt
After that, generate client side. First, the key
openssl genrsa -des3 -out /tmp/postgresql.key 1024
Then the CSR
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'
And finally the CRT
openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
- Activation of SSL on server side.
In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside

In the POSTGRESQL.CONF file, modify those lines:
listen_addresses = '*'
[...]
ssl = on
[...]
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
Also changed rights on the postgresql.key file (600)
Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:
with "Reject Unauthorized" option set to OFF: it's working
with "Reject Unauthorized" option set to ON: got an error
Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
in the cert's list: "
(with X.X.X.X my server IP)
So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
Is the certificates generation's ok?
Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
Thanks for your help and have a good weekend
postgresql ssl teamsql
I'm new on SSL, so I've started by reading lot of tutorials, topics, forum...
There is lot of information, and it's a bit complicated.
I'm trying to make a SSL connection between my computer and a Postgresql instance on a different server. To do that, I've worked step by step.
Check that the connection between the two is working without SSL
- connect myself by command line: OK !
psql "hostaddr=X.X.X.X port=5432 user=postgres dbname=my_db"
- connect myself by a DB visual tool (TeamSql, it's like PgAdmin or MysqlWorkbench): OK !
Generate keys and certificates;
I've followed a tutorial online (everything following in "" is a parameter that I've hide)
Create the server key
openssl genrsa -des3 -out server.key 1024
chmod 400 server.key
chown postgres.postgres server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres/emailAddress=[my@email.com]'
Assume that the root certificate is the same
cp server.crt root.crt
After that, generate client side. First, the key
openssl genrsa -des3 -out /tmp/postgresql.key 1024
Then the CSR
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=FR/ST=[MyCountry]/L=[MyCity]/O=[MyCompany]/CN=postgres'
And finally the CRT
openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
- Activation of SSL on server side.
In the PG_HBA.CONF file, add a specific line to handles SSL connections from outside

In the POSTGRESQL.CONF file, modify those lines:
listen_addresses = '*'
[...]
ssl = on
[...]
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Retrieves postgresql.key, postgresql.crt and root.crt files on my computer, in the /home/user/.postgresql/ folder.
Also changed rights on the postgresql.key file (600)
Try the first step again. In case of command line, everything is ok. But with the visual tool, even with the SSL option activated (and using the same three files) there is two results:
with "Reject Unauthorized" option set to OFF: it's working
with "Reject Unauthorized" option set to ON: got an error
Hostname/IP doesn't match certificate's altnames: "IP: X.X.X.X is not
in the cert's list: "
(with X.X.X.X my server IP)
So my question is: did I do everything fine? Why there is a difference between the command line connection and the visual tool one?
Is the certificates generation's ok?
Of course, I don't want a real CA Certification. I'm looking for a self-signed one, but even if I've followed different tutorials, it's still not working...
Thanks for your help and have a good weekend
postgresql ssl teamsql
postgresql ssl teamsql
asked Nov 23 '18 at 16:41
AntoineAntoine
1116
1116
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53450299%2fssl-postgres-connection-with-self-signed-certificate%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53450299%2fssl-postgres-connection-with-self-signed-certificate%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown