Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1uSeCa-00B90i-TA
	for pgsql-admin@arkaria.postgresql.org; Fri, 20 Jun 2025 16:02:52 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1uSeCZ-002ll8-1m
	for pgsql-admin@arkaria.postgresql.org; Fri, 20 Jun 2025 16:02:51 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uSeCY-002lkz-MY
	for pgsql-admin@lists.postgresql.org; Fri, 20 Jun 2025 16:02:51 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uSeCX-0035Ad-1f
	for pgsql-admin@lists.postgresql.org;
	Fri, 20 Jun 2025 16:02:50 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 55KG2kF01944832;
	Fri, 20 Jun 2025 12:02:46 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Valere Binet <valere.binet@gmail.com>
cc: pgsql-admin@lists.postgresql.org
Subject: Re: FATAL: connection requires a valid client certificate
In-reply-to: 
 <CAJn2Pj=dTF=LpYiO9SyyKQoyrDEMO=UeQxb+br4qmuAYpVUU5A@mail.gmail.com>
References: 
 <CAJn2Pj=dTF=LpYiO9SyyKQoyrDEMO=UeQxb+br4qmuAYpVUU5A@mail.gmail.com>
Comments: In-reply-to Valere Binet <valere.binet@gmail.com>
	message dated "Fri, 20 Jun 2025 11:35:25 -0400"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1944830.1750435366.1@sss.pgh.pa.us>
Date: Fri, 20 Jun 2025 12:02:46 -0400
Message-ID: <1944831.1750435366@sss.pgh.pa.us>
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/1944831.1750435366%40sss.pgh.pa.us>
Precedence: bulk

Valere Binet <valere.binet@gmail.com> writes:
> I'm completely new to postgresql and I'm struggling with its SSL
> configuration.

It sounds like you have the right certs in the right files.
I wonder though whether the client is actually picking up the
client-side cert/key.

In particular, a quick look at the libpq source code indicates
that it doesn't have any mechanism for expanding "~" in the sslcert
etc. parameters: you need to write out the full path verbatim.
(But it also looks like you should have gotten an error about
not finding the sslrootcert file, so I'm not quite sure if this
theory is correct.)

Another thing to look into is whether the order of the certs
in the multi-cert files matters.

			regards, tom lane