1

I'm using keytool for importing and managing certificates. However, when validating a datasource I'm using that requires an x.509 certificate that I need to test the error message isn't helpful:

org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.

I recall seeing some plug in page for CF Administrator that allows you to upload and manage certificates from the browser, but I can't find anything. Is it even Adobe-created, or third party?

Peter Boughton
  • 110,170
  • 32
  • 120
  • 176
justacoder
  • 2,684
  • 6
  • 47
  • 78
  • Did you do what the error message said? Check to see that PostgreSQL is running on the host you've specified and at the expected port (5432 by default) ? – Craig Ringer Aug 28 '12 at 23:49
  • The 3rd par of your question appears to be unrelated to the rest. Should you delete it and post a separate question about that instead? Or is it related in some way that the question as written doesn't make clear? – Craig Ringer Aug 28 '12 at 23:53
  • 1
    The utility for certificate management within the administrator is http://certman.riaforge.org/ – Antony Aug 29 '12 at 00:04
  • Thanks, Antony. Now that I have the browser add-on in place, I can start focusing on why the certificate fails. – justacoder Aug 29 '12 at 15:14

1 Answers1

2

I looks like your JDBC connection test never got as far as making a TCP/IP connection, let alone negotiating for X.509 client certificates during the SSL handshake. Assuming that the error message you quote is from the test you were running in an attempt to test the certificate, that is; it isn't entirely clear from the question.

Check to make sure that PostgreSQL is actually running on the host you specified and listening on the correct TCP/IP port (5432 by default). You'll also have to make sure it's properly configured for X.509 client certificate auth, but I imagine you've done that if you're trying to test against it.

BTW, older versions of Pg servers have a bug that'll cause PgJDBC to fail to negotiate for the correct client certificate when you have more than one private key in your keystore. I've gone back in the git log to find the commit that fixed this, c3bf3bf2aa0998876fd219fbfcc771fb83594539. git tag --contains c3bf3bf2aa0998876fd219fbfcc771fb83594539 confirms that the fix first appeared in 9.0.

Craig Ringer
  • 307,061
  • 76
  • 688
  • 778
  • We had the certificates working fine on two previous machines that were running CF8, but they were retired. So I'm still using the same server.cer file (in DER format) from the old machines on the new ones. I know that the connection should work, but I didn't write down the instructions clearly enough from certificate generation -> keystore upload. – justacoder Aug 29 '12 at 13:49
  • We're running Posgtre 8.1 on a Redhat box. Its configuration file has the proper IP addresses for hostssl connection and I can connect to it with PgAdmin. How can I test more effectively for the CF box that is handshaking with the Postgres box? I know its broadcasting. – justacoder Aug 29 '12 at 16:02
  • @AngrySpartan 8.1!! Holy smokes, batman. That's extremely ancient, unsupported, and has known bugs. Upgrade *urgently*. http://www.postgresql.org/support/versioning/ . For upgrading read the "migration" section of each intermediate .0 version's release notes http://www.postgresql.org/docs/9.1/static/release.html, and use the *newer* version's pg_dump. – Craig Ringer Aug 29 '12 at 23:41
  • 1
    @AngrySpartan First, test with [`psql`](http://www.postgresql.org/docs/9.1/static/app-psql.html) or PgAdmin-III to make sure you can connect that way, verifying that the server is really where you think. Also use `netstat` to verify that the server is listening where you think it is, and `nc` or `telnet` to connect to its port and make sure it really does a TCP/IP handshake on the IP and port you expect. Check for a host firewall. After that, I'd use `tcpdump` or `wireshark` to watch network traffic during your test handshake and see what's really happening. – Craig Ringer Aug 29 '12 at 23:42
  • Upgrading postgres is not in the cards for some time. However, I did test on the target webserver connecting with pgAdmin, which failed. So it's time to talk to IT about firewall exceptions! – justacoder Aug 30 '12 at 16:44
  • It was a firewall issue, so once that cleared up the connection worked. – justacoder Sep 07 '12 at 15:55