public inbox for [email protected]
help / color / mirror / Atom feedFrom: Valere Binet <[email protected]>
To: Jeff Janes <[email protected]>
Cc: [email protected]
Subject: Re: FATAL: connection requires a valid client certificate
Date: Mon, 23 Jun 2025 09:11:30 -0400
Message-ID: <CAJn2Pjmd8krhnT8cFFYPB7XXG6ik96JrAeE+D7uL1oXKhc4JSQ@mail.gmail.com> (raw)
In-Reply-To: <CAMkU=1zRyvPOuLGuEC_jQqZgbCmhMHLjVVQDD7NqQgPs2BtLig@mail.gmail.com>
References: <CAJn2Pj=dTF=LpYiO9SyyKQoyrDEMO=UeQxb+br4qmuAYpVUU5A@mail.gmail.com>
<CAMkU=1zRyvPOuLGuEC_jQqZgbCmhMHLjVVQDD7NqQgPs2BtLig@mail.gmail.com>
Hi Jeff,
Yes, you are correct, I use server certificates as these are the only ones
I can get. The only client certificates we can get are on our PIV cards. We
need a client certificate for our application but that is not available and
we have to use a server certificate.
If I understood the documentation correctly, the map in pg_ident.conf
matches the server2 certificate to the ccid postgresql account, right?
#*map-name* *system-username* *database-username*
*rafe server2 ccid*
Just FYA, mongo doesn't like it (warning in the logs) but lets us use a
server certificate for the client connections, cockroach doesn't care. For
different reasons, we need to move away from both and are trying
postgresql/citus to see if that will meet our needs.
In the meantime I checked that all the certificates on both sides are valid
so, I have no idea why I'm getting the "certificate expired" message.
Valère Binet
On Sat, Jun 21, 2025 at 1:29 PM Jeff Janes <[email protected]> wrote:
> On Fri, Jun 20, 2025 at 11:35 AM Valere Binet <[email protected]>
> wrote:
>
>> Hi everyone,
>>
>> I'm completely new to postgresql and I'm struggling with its SSL
>> configuration.
>>
>> ...
>>
>
>
>> The certificate chain has 4 certificates, 1 root, 1 intermediate signed
>> by the root certificate, a second intermediate signed by the first one and
>> a server certificate signed bt the second intermediate certificate. I'll
>> call it server.
>> I also have a second server certificate also signed by the second
>> intermediate certificate. I'll call it server2.
>>
>
> You only describe having server certs, but the error message says a client
> cert is needed. You don't describe having any client certs. Maybe you are
> trying to use a server cert as if it were a client cert, but that is
> unlikely to work. The server cert needs the hostname of the server as a CN
> (or SAN), while a client cert needs the username of client (either ccid or
> server2, not sure which) as the CN.
>
>
>> hostssl all ccid all cert map=rafe
>>
>
> This demands a client cert. Server certs are common. Client certs are
> somewhat rare, are you sure you actually want those? If so, you will need
> to set yourself up with one.
>
> Cheers,
>
> Jeff
>
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: FATAL: connection requires a valid client certificate
In-Reply-To: <CAJn2Pjmd8krhnT8cFFYPB7XXG6ik96JrAeE+D7uL1oXKhc4JSQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox