"self signed certificate in certificate chain", Server or Client?

Jeb50

4/3/23, 7:13 PM

I'm creating a SSL communication between a pg DB Server and a node client. After following some docs and implemented with openssl, node complaints "self signed certificate in certificate chain". Adding cert to Windows' cert store doesn't help.

openssl for DB Server based on pg doc:

openssl req -new -x509 -days 3650 -nodes -text -out serverdb.crt -keyout serverdb.key -subj "/CN=localhost"
Generating a RSA private key
writing new private key to 'serverdb.key'

openssl req -new -nodes -text -out rootdb.csr -keyout rootdb.key -subj "/CN=localhost"
Generating a RSA private key
writing new private key to 'rootdb.key'

openssl x509 -req -in rootdb.csr -text -days 3650 -extfile cnf\openssl.cnf -extensions v3_ca -signkey rootdb.key -out rootdb.crt
Signature ok
subject=CN = localhost
Getting Private key

openssl req -new -nodes -text -out serverdb.csr -keyout serverdb.key -subj "/CN=localhot"
Generating a RSA private key
writing new private key to 'serverdb.key'

openssl x509 -req -in serverdb.csr -text -days 3650 -CA rootdb.crt -CAkey rootdb.key -CAcreateserial -out serverdb.crt
Signature ok
subject=CN = localhot
Getting CA Private Key

openssl for node client:

openssl genrsa -des3 -out clientToDB.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
//rem removing passphrase
openssl rsa -in clientToDB.key -out clientToDB.key
writing RSA key

//rem 2.8 Create the certificate postgresql.crt.
openssl req -new -key clientToDB.key -out clientToDB.csr
...
Common Name (e.g. server FQDN or YOUR name) []:localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//rem 2.9 Sign it using the trusted root certificate:
openssl x509 -req -in clientToDB.csr -CA rootdb.crt -CAkey rootdb.key -out clientToDB.crt -CAcreateserial
Signature ok
Getting CA Private Key

postgresql.conf

ssl = on 
ssl_cert_file = 'serverdb.crt'
ssl_key_file = 'serverdb.key'
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' 
ssl_prefer_server_ciphers = on
ssl_ca_file = 'rootdb.crt' 
ssl_crl_file = ''

node ssl setting:

ssl: 
{
    rejectUnauthorized: true,      // false works
        ca: fs.readFileSync("serverdb.crt").toString(),  
        key: fs.readFileSync("clientToDB.key").toString(), 
        cert: fs.readFileSync("clientToDB.crt").toString() 
}

Environment is

Windows 10, pg and node both local, localhost
openssl v1.1.1k
node v14
no company firewall

349

0 + 0

postgresql

ssl

openssl

Steffen Ullrich

4/3/23, 7:25 PM

`ca: fs.readFileSync("serverdb.crt").toString(),` - the server site root CA is rootdb.crt, not serverdb.crt. Apart from that your commands are confusing since you first create serverdb.* in the first command and then simply overwrite it in the next commands.

Jeb50

4/3/23, 8:13 PM

@SteffenUllrich Commands are based on [pg's doc](https://www.postgresql.org/docs/13/ssl-tcp.html#SSL-CERTIFICATE-CREATION). After replacing `serverdb.crt` with `rootdb.crt`, got `code:'DEPTH_ZERO_SELF_SIGNED_CERT' message:'self signed certificate'`

Steffen Ullrich

4/3/23, 8:25 PM

*"Commands are based on pg's doc."* - your are mixing commands from the documentation which are not supposed to be mixed. It documents two ways: self-signed certs and CA issued certs and one is supposed to be used only one way. It also explains when what should be used. Please read the documentation in more detail.

Jeb50

4/3/23, 10:32 PM

@SteffenUllrich Appreciate the guidance.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: "self signed certificate in certificate chain", Server or Client?

TH: "ใบรับรองที่ลงนามด้วยตนเองในห่วงโซ่ใบรับรอง" เซิร์ฟเวอร์หรือไคลเอ็นต์

RO: „certificat autosemnat în lanțul de certificate”, server sau client?

RU: «самозаверяющий сертификат в цепочке сертификатов», сервер или клиент?

VI: "chứng chỉ tự ký trong chuỗi chứng chỉ", Máy chủ hay Máy khách?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.