I'm trying to setup a postgres server (version 10.4) with openssl access only. I created a self signed ca and the necessary private and public keys for the user and the server with easyrsa version 3 as described here and put it in the directories as stated here. Afterwards I added this line
hostssl all myname 192.168.0.0/16 cert
to the pg_hba.conf
as described here and here
But when I try to connect to the database with
psql -h 192.168.0.222 "sslmode=verify-ca sslcert=myname.crt sslkey=myname.key"
this error message pops up
couldn't read certificate "myname.crt": ca md too weak
and in the server log
couldn't accept SSL-connection: success
(maybe the messages are not literally correct, I translated them from German)
That is funny, because when I look at my certificates with
easyrsa show-cert myname
I see the following lines (and more):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
don't show it here
Signature Algorithm: sha256WithRSAEncryption
and the same for my root certificate ca.crt and the certificate for the postgres server. So obviously the certificates are signed with sha256 method and not with md
What is even more funny, is that it worked in the beginning, and some days later, when I tried it again the above mentioned error message appeared and I'm quite sure that I didn't change any configuration meanwhile. Maybe some update of openssl or postgresql was in between.
Check the
openssl*.cnf
file that you used with Easy-RSA. In the[ CA_default ]
section there is an optiondefault_md
that should be set tosha256
.If you actually used the
easyrsa
script that comes with current 3.x versions of Easy-RSA then this is already set correctly in theopenssl*.cnf
file that ships with it. If you used a 2.x Easy-RSA version then you will need to edit this yourself.