0

I am trying to enable ssl connection and verify certificates for postgres running in a docker. I found this blog: postgres using ssl I followed some instructions from this and was able to connect via psql command. However, when I try to connect from my another application, it throws below error:

error: x509: cannot validate certificate for because it doesn't contain any IP SANs

I tried adding SAN to the client certificate:

openssl req -new -key client.key -subj "/CN=test" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP: ip address of docker ")) -out client.csr

and verified with the below command:

openssl req -in client.csr -text -noout

However, I still see the same problem as above "

doesn't contain IP SANs"

Would someone be able to point out what might be wrong here? Thanks!

Update: Below is the full set of commands I used to generate server and client keys and certificates:

openssl genrsa -des3 -out root.key 4096

openssl rsa -in root.key -out root.key

openssl req -new -x509 -days 365 -subj "/CN=postgres" -key root.key -out root.crt

openssl genrsa -des3 -out server.key 4096

openssl rsa -in server.key -out server.key

openssl req -new -key server.key -subj "/CN=" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:ip address")) -text -out server.csr

openssl x509 -req -in server.csr -text -days 365 -CA root.crt -CAkey root.key -CAcreateserial -out server.crt

openssl genrsa -out client.key 4096

openssl rsa -in client.key -out client.key

openssl req -new -key client.key -subj "/CN=test" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:ip address")) -out client.csr

openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -CAcreateserial -days 365 -text -out client.crt

pree
  • 2,297
  • 6
  • 37
  • 55
  • 1
    `openssl req -in client.csr -text -noout` only shows if the CSR has any IP SANs. Does the **certificate** itself that was signed by the CA have any IP SANs? `openssl x509 -in client.cer -noout -text` should show them. If you have a PKCS12 `p12` file, something like: `openssl pkcs12 -in client.p12 -nokeys | openssl x509 -noout -text` should work. – Andrew Henle May 13 '21 at 01:27
  • @AndrewHenle As you pointed out, I ran the command openssl x509 -in client.crt -noout -text and didn't see IP SANs like I saw in CSR. What is the method to include IP SANs in the certificate as well? I also updated my question to include complete set of commands I ran. – pree May 13 '21 at 03:01
  • **`openssl x509 -req` IGNORES extensions in CSR**; dupe https://stackoverflow.com/questions/54421916/ https://stackoverflow.com/questions/43690647/ https://stackoverflow.com/questions/59630238/ and cross at least https://security.stackexchange.com/questions/150078/ https://serverfault.com/questions/845806/ https://superuser.com/questions/862838/ – dave_thompson_085 May 13 '21 at 05:08
  • 1
    PS: doing `openssl genrsa -des3` to encrypt the key and then `openssl rsa` to decrypt it in the same file is a silly waste of time; just omit `-des3` from `genrsa` in the first place. – dave_thompson_085 May 13 '21 at 05:12
  • I was able to include extension in the certificate and verified as well. However, now I get different error saying error: `x509: certificate signed by unknown authority`. Any pointers to fix this error? – pree May 13 '21 at 06:13
  • Does this answer your question? [cannot validate certificate for because it doesn't contain any IP SANs](https://stackoverflow.com/questions/54622879/cannot-validate-certificate-for-ip-address-because-it-doesnt-contain-any-ip-s) – Shahid Roofi Khan Mar 15 '23 at 16:27

0 Answers0