Re: unexpected_message error when connecting to remote postgresql database over ssl

Sat, 11 Jan 2020 01:03:08 -0800 

You can use free letsencrypt cert

Jacques

Le 11/01/2020 à 08:38, Bagas Sanjaya a écrit :

Aha!

Actually I use custom (internal) CA for doing remote connection.

When trying to add dummy OCSP responder address (I did this for testing), I 
made a typo omitting colon from `http://` scheme.

For PostgreSQL log as you mention, I think the server will log the IP address 
of connecting party instead of the hostname.

Disclaimer: My internal CA "borrow" from Linode (linode.com), so the CA isn't 
affiliated with Linode.

On 11/01/20 05.08, Robert Wynkoop wrote:

Not an expert here.

I see this in your log:

Unparseable AuthorityInfoAccess extension due to
java.io.IOException: URI name must include scheme:http//ocsp.ca.linode.com

I know when doing a secure connection, the serer must return a cert
where the issuer can be validated.

 From your log:

2020-01-09 08:29:14.952 UTC [1893] LOG:  connection received:
host=10.29.106.190 port=60432

I do not believe 10.29.106.190 can be verified as a valid host.

Hope this might help.

Robert Wynkoop


On Thu, Jan 9, 2020 at 2:55 AM Bagas Sanjaya <[email protected]> wrote:


Hello,

I'm trying loading OFBiz demo data (trunk version) to remote PostgreSQL
database.

The system running the database use PostgreSQL 12. I connect to database
using PostgreSQL JDBC 42.2.8.

I follow [JDBC
guide](https://jdbc.postgresql.org/documentation/91/ssl-client.html).

The story short, I got `fatal alert: unexpected message` message, which
cause data loading to fail.

However, when test connect to one of databases with `psql`, the database
can be connected successfully.

On database instance side, the log shows at the time of error:

  > could not accept SSL connection: ccs received early

Full logs are available at:
[1] [PostgreSQL Server Log]http://paste.ubuntu.com/p/4Kn8wYPZDs/
[2] [OFBiz Log, with SSL Debug log until first
fail](http://paste.ubuntu.com/p/WBknj9DKQz/)

Disabling SSL on the server (as well as setting appropriate JDBC
database URI) serve as workaround, unfortunately.

So what's wrong here?

Bagas

--
An old man doll... just what I always wanted! - Clara

Reply via email to