Обсуждение: SSL cert "not initialized" error with logical replication with 13.11
Hi all,
After upgrading to 13.11, Publisher no longer accepts cert of subscriber.
Certs have been issued by internal CA.
Subscriber:
,DEBUG,00000,"starting logical replication worker for subscription ""meteo""",,,,,,,,,"","logical replication launcher"
EBUG,00000,"registering background worker ""logical replication worker for subscription
16486""",,,,,,,,,"","postmaster"
EBUG,00000,"starting background worker process ""logical replication worker for subscription
16486""",,,,,,,,,"","postmaster"
0,LOG,00000,"logical replication apply worker for subscription ""meteo"" has started",,,,,,,,,"","logical replication
worker"
EBUG,00000,"connecting to publisher using connection string ""host=<some FQDN> port=5432 user=replicator
dbname=operations""",,,,,,,,,"","logicalreplication worker"
RROR,XX000,"could not connect to the publisher: SSL error: sslv3 alert certificate expired",,,,,,,,,"","logical
replicationworker"
EBUG,00000,"unregistering background worker ""logical replication worker for subscription
16486""",,,,,,,,,"","postmaster"
OG,00000,"background worker ""logical replication worker"" (PID 92845) exited with exit code 1",,,,,,,,,"","postmaster"
Servercert:
Not Before: Aug 18 09:12:35 2022 GMT
Not After : Aug 29 09:12:35 2023 GMT
Publisher:
"connection received: host=<some IP6> port=32501",,,,,,,,,"","not initialized"
"could not accept SSL connection: certificate verify failed",,,,,,,,,"","not initialized"
Servercert:
Version: 3 (0x2)
Serial Number:
37:19:dc:15:5c:e7:4e:b8:46:b0:a7:49:73:6a:9b:fa:c3:27:a0:6b
Signature Algorithm: sha384WithRSAEncryption
Issuer: <…> internal CA
Validity
Not Before: Aug 18 09:12:35 2022 GMT
Not After : Aug 29 09:12:35 2023 GMT
Subject: CN = <some FQDN>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
What has changed with SSL in 13.11 ?
How can I find out what really goes wrong here ?
How to fix it.
Any help appreciated,
Axel
---
PGP-Key: CDE74120 ☀ mobile: +49 160 7568212
computing @ chaos claudius
Axel Rau <Axel.Rau@chaos1.de> writes:
> After upgrading to 13.11, Publisher no longer accepts cert of subscriber.
The error is pretty clear:
> RROR,XX000,"could not connect to the publisher: SSL error: sslv3 alert certificate expired",,,,,,,,,"","logical
replicationworker"
> Servercert:
> Not Before: Aug 18 09:12:35 2022 GMT
> Not After : Aug 29 09:12:35 2023 GMT
How sure are you that that cert is the one the publisher is using?
Also, maybe the complaint is about a cert being used by the subscriber,
not the publisher? I don't think this error message would distinguish
that.
regards, tom lane
On Wed, Jun 21, 2023 at 6:11 AM Axel Rau <Axel.Rau@chaos1.de> wrote:
Hi all,
After upgrading to 13.11, Publisher no longer accepts cert of subscriber.
What did you upgrade from? How did you do the upgrade?
Publisher:
"connection received: host=<some IP6> port=32501",,,,,,,,,"","not initialized"
"could not accept SSL connection: certificate verify failed",,,,,,,,,"","not initialized"
Your log files appear to have been mutilated. What column is 'not initialized' appearing in?
Servercert:
...
Validity
Not Before: Aug 18 09:12:35 2022 GMT
Not After : Aug 29 09:12:35 2023 GMT
What about the validity of the CA?
Cheers,
Jeff
Hello
expired CA certificate could also cause "SSL error: sslv3 alert certificate expired" error. You should check the validity of your CA certificate.
You can use this openssl command to verify your CA and your server certificate, see if it gives the same "certificate verify failed" error
openssl verify -verbose -CAfile $PATH_TO_CACERT $PATH_TO_SERVER_CERT
or it could be that your server clock is wrong, which is unlikely though.
best regards
Cary Huang
-----------------------------
Highgo Software (Canada)
www.highgo.ca
---- On Wed, 21 Jun 2023 08:05:15 -0700 Jeff Janes <jeff.janes@gmail.com> wrote ---
On Wed, Jun 21, 2023 at 6:11 AM Axel Rau <Axel.Rau@chaos1.de> wrote:Hi all,
After upgrading to 13.11, Publisher no longer accepts cert of subscriber.What did you upgrade from? How did you do the upgrade?
Publisher:
"connection received: host=<some IP6> port=32501",,,,,,,,,"","not initialized"
"could not accept SSL connection: certificate verify failed",,,,,,,,,"","not initialized"Your log files appear to have been mutilated. What column is 'not initialized' appearing in?Servercert:
...Validity
Not Before: Aug 18 09:12:35 2022 GMT
Not After : Aug 29 09:12:35 2023 GMTWhat about the validity of the CA?Cheers,Jeff
The server certs were ok, but client cert for user replicator was not updated.Am 21.06.2023 um 15:53 schrieb Tom Lane <tgl@sss.pgh.pa.us>:How sure are you that that cert is the one the publisher is using?
Also, maybe the complaint is about a cert being used by the subscriber,
not the publisher? I don't think this error message would distinguish
that.
hostssl operations replicator <some IP>/32 cert clientcert=1
Thanks to all, who responded, for your tips,
Axel
---
PGP-Key: CDE74120 ☀ mobile: +49 160 7568212
PGP-Key: CDE74120 ☀ mobile: +49 160 7568212
computing @ chaos claudius