Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uSdmK-00B31u-Bn for pgsql-admin@arkaria.postgresql.org; Fri, 20 Jun 2025 15:35:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uSdmG-002Ufg-E6 for pgsql-admin@arkaria.postgresql.org; Fri, 20 Jun 2025 15:35:41 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uSdmG-002UfW-0S for pgsql-admin@lists.postgresql.org; Fri, 20 Jun 2025 15:35:40 +0000 Received: from mail-pj1-x1033.google.com ([2607:f8b0:4864:20::1033]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uSdmE-0039HC-0C for pgsql-admin@lists.postgresql.org; Fri, 20 Jun 2025 15:35:40 +0000 Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-313a001d781so1491156a91.3 for ; Fri, 20 Jun 2025 08:35:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750433736; x=1751038536; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=9k/Ya1dR6Dl6WKS9/I7kmWkF11aVtty12NpUw6Xzkf4=; b=Y53CfH46340LZBV8v7k/B91mkXTRlD3T2UiLqylJDf6UTGwqgPctyZ+SGWlTEjYwe0 EmNLjEVa7TiXfjlT6+sj12VR9ZRGZ3ydSRW6QyQDqaA0+dChV/nVRGL9InBuKlZximR2 QERWVlhIwRObA36mF2yMFkv3R2w9ePbc7JDqOCLHAJ5jUN3WcV1yiPm4tB8bFFcEA4gi OR1eYalkn/0xAc/G70+JNeM3wDaSmYnoZoFnesavxIVk6ByiU5PtgR5c/7OfpIoi/dY+ 344XPxbqkMb1zvvFmzSkQzmnuz+Ugb00GTG1+0PDbavcIKB5PCyR2d+Z7ZHvlsZ/jZwq gSPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750433736; x=1751038536; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=9k/Ya1dR6Dl6WKS9/I7kmWkF11aVtty12NpUw6Xzkf4=; b=UBKSRaqiiGNCODIa98vA8JcMQPlAS0+hTd/XCrEOLj7luQ9At7LMPzeyyn2WAxQacI 74k0OQaUO/kc3FxVp0GSsA90wXm7p/I3XkQsXFty2FGMtmFNABSF9nG1Mr96jLmU6PN/ 9GADYVTBVhoR40bZdU+1R7cc41ozNtKg/HHJQf2BUCMPDALKV55Lh3JV0IyvZPw+2VN+ WJtuLQi2kRCkT3pFvBcpB1MIkhq11HXUZBC6mwLwOyWbZ7W1kFTTa77oIIOjekWJ8Xp2 /Rj0C9/l7UDIZiScwrclPsBIruvdxZsL+SSvnJNur5m5rZqMKhx3KtLdP8TdXLse2IOS ReZw== X-Gm-Message-State: AOJu0YzQgsVDSVQ/6LKw8KAgapZU+eylbmOzWLNQdFnIaXthZ0lOYskU S7vzsxIencKK7K5YNnNFimNHNxkiD2XFuxF8FHled3R4ry+Zl+pC1JI7j7Q66GiCXgU4UuKkiN9 y6RuaXw7zXG+z2jcF0AgofBdsnts823x+niQ6 X-Gm-Gg: ASbGnctezCGI6RU7e1Rt4Lt0DZDvbyn+8lN+GBPu/dd3vt7x6greMkOnazWVoReZWC4 3BptwUNgtwaGiZ+3PgRql1gJz7U2HVUxtB5CtGfcp5z3A1VuUPHC64vhhZjgfA3Cy8mbHeJ/flU xwwhkctekVTMQVnaH0+uB3ujDJRkPDvN9TYK2zvZlPAVcAkmCUTZI0q9/1EChMLxvJBeGz74Ak8 hY= X-Google-Smtp-Source: AGHT+IFATK9YcvkxUVqKfx87ElOjivM9Y06nN41u+doWi0G6eHqKux4o6lX9nYJuJ4KIVBdzRAgT+EbXjasmgBRKkJ0= X-Received: by 2002:a17:90b:2ec3:b0:312:1cd7:b337 with SMTP id 98e67ed59e1d1-3159d62c276mr4781571a91.5.1750433735883; Fri, 20 Jun 2025 08:35:35 -0700 (PDT) MIME-Version: 1.0 From: Valere Binet Date: Fri, 20 Jun 2025 11:35:25 -0400 X-Gm-Features: AX0GCFuyhoUk-DaN6zluxlVuG08MlqxbEnwB4IrAROgR5r-rrg4chMx_ARXFe0I Message-ID: Subject: FATAL: connection requires a valid client certificate To: pgsql-admin@lists.postgresql.org Content-Type: multipart/alternative; boundary="00000000000007c26d0638029d72" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000007c26d0638029d72 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi everyone, I'm completely new to postgresql and I'm struggling with its SSL configuration. Ubuntu 22.04 LTS Postgresql 17.5-1.pgdg22.04+1 postgresql-17-citus-13.0 13.0.4.citus-1 The certificate chain has 4 certificates, 1 root, 1 intermediate signed by the root certificate, a second intermediate signed by the first one and a server certificate signed bt the second intermediate certificate. I'll call it server. I also have a second server certificate also signed by the second intermediate certificate. I'll call it server2. Postgresql.conf: port =3D 9700 max_connections =3D 100 ssl =3D on ssl_ca_file =3D /data/db/root.crt ssl_cert_file =3D /data/db/server.pem # server + intermediate 2 + intermediate 1 ssl_crl_file =3D /usr/local/share/OCIO_CA6.pem ssl_key_file =3D /data/db/server.key ... shared_preload_libraries =3D 'citus' pg_hba.conf: local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust local replication all trust host replication all 127.0.0.1/32 trust host replication all ::1/128 trust hostssl all ccid all cert map=3Drafe pg_ident.conf: rafe server2 ccid On the second server: vbinet@server2:~$ psql "port=3D9700 host=3Dserver user=3Dccid sslcert=3D~/.postgresql/server2.pem sslkey=3D~/.postgresql/server2.key sslrootcert=3D~/.postgresql/root.crt sslmode=3Dverify_ca" psql: error: connection to "server" (ip address), port 9700 failed: FATAL: connection requires a valid certificate server2.pem also includes the intermediate certificates. I tried with the root and the intermediate certificates together in root.pem and just the server certificate in server.crt / server2.crt but that fails with the same message. Can anyone point me to what is wrong in my configuration? Thank you, Val=C3=A8re Binet --00000000000007c26d0638029d72 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi everyone,

I'm complet= ely new to postgresql and I'm struggling with its SSL configuration.

Ubuntu 22.04 LTS
Postgresql 17.5-1.pgdg22.= 04+1
postgresql-17-citus-13.0 13.0.4.citus-1

=
The certificate chain has 4 certificates, 1 root, 1 intermediate signe= d by the root certificate, a second intermediate signed by the first one an= d a server certificate signed bt the second intermediate certificate. I'= ;ll call it server.
I also have a second server certificate also = signed by the second intermediate certificate. I'll call it server2.

Postgresql.conf:
port =3D 9700
m= ax_connections =3D 100
ssl =3D on
ssl_ca_file =3D /data= /db/root.crt
ssl_cert_file =3D /data/db/server.pem=C2=A0 =C2=A0 = =C2=A0 # server=C2=A0+ intermediate 2=C2=A0+ intermediate 1
ssl_c= rl_file =3D /usr/local/share/OCIO_CA6.pem
ssl_key_file =3D /data/= db/server.key
...
shared_preload_libraries =3D 'cit= us'

pg_hba.conf:
local all=C2=A0 =C2= =A0all=C2=A0 =C2=A0 =C2=A0 =C2=A0trust
host all=C2=A0 =C2=A0 all= =C2=A0 127.0.0.1/32=C2=A0 trust
host all=C2=A0 =C2=A0 all=C2=A0 ::1/128=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0trust
local replication=C2=A0 all=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0trust
host replication= =C2=A0 all=C2=A0 127.0.0.1/32=C2=A0 tru= st
host replication=C2=A0 all=C2=A0 ::1/128=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0trust

hostssl all=C2=A0 =C2=A0= ccid=C2=A0 =C2=A0all=C2=A0 cert map=3Drafe

pg_iden= t.conf:
rafe=C2=A0 =C2=A0server2=C2=A0 =C2=A0ccid

<= /div>
On the second server:
vbinet@server2:~$ psql "port= =3D9700 host=3Dserver user=3Dccid sslcert=3D~/.postgresql/server2.pem sslke= y=3D~/.postgresql/server2.key sslrootcert=3D~/.postgresql/root.crt sslmode= =3Dverify_ca"
psql: error: connection to "server" = (ip address), port 9700 failed: FATAL: connection requires a valid certific= ate

server2.pem also includes the intermediate cer= tificates. I tried with the root and the intermediate certificates together= in root.pem and just the server certificate in server.crt / server2.crt bu= t that fails with the same message.

Can anyone poi= nt me to what is wrong in my configuration?

Thank = you,

Val=C3=A8re Binet

--00000000000007c26d0638029d72--