Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1uSfU4-00BPsU-7m
	for pgsql-admin@arkaria.postgresql.org; Fri, 20 Jun 2025 17:25:00 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1uSfU2-003If3-Ae
	for pgsql-admin@arkaria.postgresql.org; Fri, 20 Jun 2025 17:24:58 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <valere.binet@gmail.com>)
	id 1uSfU1-003Ieu-VL
	for pgsql-admin@lists.postgresql.org; Fri, 20 Jun 2025 17:24:58 +0000
Received: from mail-pl1-x62a.google.com ([2607:f8b0:4864:20::62a])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <valere.binet@gmail.com>)
	id 1uSfU0-0035k6-2Z
	for pgsql-admin@lists.postgresql.org;
	Fri, 20 Jun 2025 17:24:57 +0000
Received: by mail-pl1-x62a.google.com with SMTP id
 d9443c01a7336-2363497cc4dso18523665ad.1
        for <pgsql-admin@lists.postgresql.org>;
 Fri, 20 Jun 2025 10:24:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1750440296; x=1751045096;
 darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=FBTkjs21rTKNTg6ch+2ATOTuPHy37YSttjYxjhqKIFE=;
        b=HKAtw+ukmZR2iSRkMsdaAiWv0XbY4Dd33za6Y2xIj27HJQDe2Lb2oa5sf/S0mXyj16
         +79GY5q/Sv8Kf9mwRu1sDai1mMLHNZDM73spyNfIXHOUf5dZJo2o2HxlrlWJoxG792Jq
         j2A/fjbAQ2YDbYi7OS+/JxTUqgbSHzGq+RZmgjw6LAlhFAX6Rs16fVxS8qLuB7Q9NGz9
         igChBaLYaWoglguk05O4wjwajhr+SRHBq8UinLwS1N1cRlb6X3MGDZo7+ZGNw5zVv4Z6
         D29lJfmw2ZGZFKveX4H+etM5Fj3Nfjy4ryneaXXJ6yJp5l88X9wadL7K9Op2lFMJFLDK
         WtvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1750440296; x=1751045096;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=FBTkjs21rTKNTg6ch+2ATOTuPHy37YSttjYxjhqKIFE=;
        b=Z51wqwGHSU0oV4xhmnX49kU8BULu1s2oLOTL/8NJtwW/9ZV7WZixIDNlaBdrV03XiW
         NRf2WhrF9P2atH/XuCXFAN/yXlJpzB0gGCf5grDqE6x3th0vYvnBZEBc4b1XSyFTIRG6
         b9w7tAGxOHDcFvdMuiIHnpWIHv0nxeaBqETzxzlEFuEf3SblyxxtaK06a5mFOyF9N2/O
         9SZzhe0YRMZ/tMjMbvaGczW2Ep25H6kn04YcBvAvpFkmcIqj46iMb8ZLB58OoGTmcZK3
         3ed9Ec8BC7GHjbParncVZsUXzbkAUAnQ5xs6eWqp5VkK2JGbV3EF37E0CcXoEVDz90WF
         xs0w==
X-Gm-Message-State: AOJu0Yw52M9bikH1E94zxrMW1yDBnAsr+iSwtfBUfeywLlhaHHNR9GGI
	PLNEp0QZAylhqF+LF/VVZiTSYb6sx1xBlnsl3WcgdsOu3kX1oYdwHFrVcHMt9QPMX1xx6zMsxLO
	aMFzn6OA/yVMjgkQeukp9ANmbU5U0wgs=
X-Gm-Gg: ASbGncuIgbICdQMOgKjO0A1Gi3zhE69Typx1812SXkPIuziw12oGrNhRD0e/Sqb1R61
	v2VCAUwNWDa2tksmWtvxmkQJzbbZZtjaZyR/34DLvZo8fAfM0o0Dh72ud5T4i4vnzwQLkHmNFgN
	c784aYy5zAFVfVcuNQPZXsfTLAbnJYsqwx4L9l37Z0Dz4ICSXPbskZRUPEg98whs+s9JQ5S4A0I
	dA=
X-Google-Smtp-Source: 
 AGHT+IH2lAb9o0gV+bBXFsw25Jt6Cba+a6Tv9bO5r+hdgRd7ebQvhThnqUcmAOB5D9kak/f6a7+0Jl8vp/uNo/ul3+E=
X-Received: by 2002:a17:90b:2549:b0:311:b5ac:6f5d with SMTP id
 98e67ed59e1d1-3159d8fed81mr5306092a91.29.1750440295766; Fri, 20 Jun 2025
 10:24:55 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAJn2Pj=dTF=LpYiO9SyyKQoyrDEMO=UeQxb+br4qmuAYpVUU5A@mail.gmail.com>
 <1944831.1750435366@sss.pgh.pa.us>
In-Reply-To: <1944831.1750435366@sss.pgh.pa.us>
From: Valere Binet <valere.binet@gmail.com>
Date: Fri, 20 Jun 2025 13:24:44 -0400
X-Gm-Features: AX0GCFsphGtjv5kG0CYUC3vE8fcHTFd-FvJT7_ZDK92OGC3IMifx9a_KNM6i5p8
Message-ID: 
 <CAJn2Pj=E0kS5aQAd=mek=atZPA0iHz9dvk-VU0Xo2=+eiJZ7ow@mail.gmail.com>
Subject: Re: FATAL: connection requires a valid client certificate
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-admin@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000079f4f0638042459"
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/CAJn2Pj%3DE0kS5aQAd%3Dmek%3DatZPA0iHz9dvk-VU0Xo2%3D%2BeiJZ7ow%40mail.gmail.com>
Precedence: bulk

--000000000000079f4f0638042459
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thank you Tom,

I already had the full path for the root certificate, sorry I got lazy
retyping the command on my personal computer.
After also entering the full path for sslcert and sslkey, I'm getting
"sslv3 alert certificate expired".
Now I just need to figure out which one but I already have a pretty good
idea.

Thank you again! Regards,

Val=C3=A8re

On Fri, Jun 20, 2025 at 12:02=E2=80=AFPM Tom Lane <tgl@sss.pgh.pa.us> wrote=
:

> Valere Binet <valere.binet@gmail.com> writes:
> > I'm completely new to postgresql and I'm struggling with its SSL
> > configuration.
>
> It sounds like you have the right certs in the right files.
> I wonder though whether the client is actually picking up the
> client-side cert/key.
>
> In particular, a quick look at the libpq source code indicates
> that it doesn't have any mechanism for expanding "~" in the sslcert
> etc. parameters: you need to write out the full path verbatim.
> (But it also looks like you should have gotten an error about
> not finding the sslrootcert file, so I'm not quite sure if this
> theory is correct.)
>
> Another thing to look into is whether the order of the certs
> in the multi-cert files matters.
>
>                         regards, tom lane
>

--000000000000079f4f0638042459
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thank you Tom,</div><div><br></div><div>I already had=
 the full path for the root certificate, sorry I got lazy retyping the comm=
and on my personal computer.</div><div>After also entering the full path fo=
r sslcert and sslkey, I&#39;m getting &quot;sslv3 alert certificate expired=
&quot;.</div><div>Now I just need to figure out which one but I already hav=
e a pretty good idea.</div><div><br></div><div>Thank you again! Regards,</d=
iv><div><br></div><div>Val=C3=A8re</div></div><br><div class=3D"gmail_quote=
 gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Jun 2=
0, 2025 at 12:02=E2=80=AFPM Tom Lane &lt;<a href=3D"mailto:tgl@sss.pgh.pa.u=
s">tgl@sss.pgh.pa.us</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex">Valere Binet &lt;<a href=3D"mailto:valere.binet@gmail.c=
om" target=3D"_blank">valere.binet@gmail.com</a>&gt; writes:<br>
&gt; I&#39;m completely new to postgresql and I&#39;m struggling with its S=
SL<br>
&gt; configuration.<br>
<br>
It sounds like you have the right certs in the right files.<br>
I wonder though whether the client is actually picking up the<br>
client-side cert/key.<br>
<br>
In particular, a quick look at the libpq source code indicates<br>
that it doesn&#39;t have any mechanism for expanding &quot;~&quot; in the s=
slcert<br>
etc. parameters: you need to write out the full path verbatim.<br>
(But it also looks like you should have gotten an error about<br>
not finding the sslrootcert file, so I&#39;m not quite sure if this<br>
theory is correct.)<br>
<br>
Another thing to look into is whether the order of the certs<br>
in the multi-cert files matters.<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 regards, tom lane<br>
</blockquote></div>

--000000000000079f4f0638042459--