Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uTgxg-008As5-5s for pgsql-admin@arkaria.postgresql.org; Mon, 23 Jun 2025 13:11:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uTgxc-002Ulf-PF for pgsql-admin@arkaria.postgresql.org; Mon, 23 Jun 2025 13:11:45 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uTgxc-002UlW-9s for pgsql-admin@lists.postgresql.org; Mon, 23 Jun 2025 13:11:45 +0000 Received: from mail-pg1-x52b.google.com ([2607:f8b0:4864:20::52b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uTgxb-003XxL-0E for pgsql-admin@lists.postgresql.org; Mon, 23 Jun 2025 13:11:44 +0000 Received: by mail-pg1-x52b.google.com with SMTP id 41be03b00d2f7-b31c84b8052so4564868a12.1 for ; Mon, 23 Jun 2025 06:11:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750684302; x=1751289102; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=W2sx886Thubm0FrNokuXxAMcCZ7k9ff3kkPtB5MQyg8=; b=S7P36JTRBsgPaH+5PY9T28tuWCeTWZWG+usHFCBPFHqlCKedkpddPvfRtSfNNl0JM9 GMMsbNxAUya/nvIIdHJ/Cn1yUWijvgsT9robw3ovKbZz6pXtheruo3N3hiASMJul92bE d2XOiPcc6J/Elfj4Zrw0gB2pOlhgK2LzTEVjf/ZV6/mA4Sxp/tSdSw4lsJy+o2yw9a7w F1Qx9/b3Oi/fQpFkYWMxt0wbqyu3hrWIE73KZAntvP3umSweLDZJEihibVMjXg65vDgK M2Pc+lVeRNbADSkA06fHIAOiKI31QvDYRuHSkdFyKveTPcSJdeyq6OL/Umy29dWYajCj Wm8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750684302; x=1751289102; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=W2sx886Thubm0FrNokuXxAMcCZ7k9ff3kkPtB5MQyg8=; b=hzzXqihnJJ7Y2egubKSNJrqFLNFVSik2PVZQEqrMbyJH87dERF9QyZTxEc8vPobNYC QIgO3QosjcUwvXOzGq8k2SBX/WWndYsEqigFkqpCjdkCa6/YbI+6OdYGfgkLqst5ePIs RgIYmPfizy5+5cLa9rPNb6n1pw1sG6gZEXNwVLS0l1nHcJIi716/+Y7htR2F3HMezquw N60UMLM4b19+rI0xw1Zx0vcxiLp/GRRch2GQsjfh+CmR/mfLXqtg+XCxMw0BL9hYSfrZ IKYGc2Hl/xQcPEVbO6akYb4Pwg0FnRXav3/KupjfeRPa3D18EK367gfsekZgHRMvC6JQ aM6g== X-Gm-Message-State: AOJu0Yymfq8mtJTG0jMF3CG/rJdd2XnDO9L3h7R21Nq/wd0D01C6uXsd Dep0DkUQ8hdap6AA03i/vVnP5OLekRWC/rVaLYZYhpLZk6rPqA2Wu6y+BY5lEfr7nCt+ucbnmt5 f9i0zp73YcIa8wuu3/8ZqSgmFjRSXo50= X-Gm-Gg: ASbGnctOUNS8JLfcCaFRJL9ScZ6kx29H27FqDOt798ynHDqJ/CVn74166RNQtLRZJMh ZlUATLPamKXZeHvye1z/p5YmrXLuj0RXqxeOk3pmqvp9k1dBMLM6SXbyieHZhaN9B2dTnjRXQow pmLKyfjHXLEuGNUX0W6NJJTxepxSTGzb9HSHfgCzu9O8T7vb29/irc3SrioRGnbAdqrwqAbOI+X mk= X-Google-Smtp-Source: AGHT+IEGGmPHa57Ho9JWIsZ9kmM16J6P8TyM3EgyCmM01eLUkmIca+vlwHYQ8Kvzrc6n+Fyz+sKAdHRJTDW4SDjBex8= X-Received: by 2002:a17:90b:2e87:b0:312:51a9:5d44 with SMTP id 98e67ed59e1d1-3159d61a5c5mr19222858a91.5.1750684301763; Mon, 23 Jun 2025 06:11:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Valere Binet Date: Mon, 23 Jun 2025 09:11:30 -0400 X-Gm-Features: AX0GCFuaEUUc1vT19E_d_7pM-r9lj_mA4Zwtmp62AhuHsFTfxEXfKDWSkrCz0_I Message-ID: Subject: Re: FATAL: connection requires a valid client certificate To: Jeff Janes Cc: pgsql-admin@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000eba9e506383cf3e2" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000eba9e506383cf3e2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Jeff, Yes, you are correct, I use server certificates as these are the only ones I can get. The only client certificates we can get are on our PIV cards. We need a client certificate for our application but that is not available and we have to use a server certificate. If I understood the documentation correctly, the map in pg_ident.conf matches the server2 certificate to the ccid postgresql account, right? #*map-name* *system-username* *database-username* *rafe server2 ccid* Just FYA, mongo doesn't like it (warning in the logs) but lets us use a server certificate for the client connections, cockroach doesn't care. For different reasons, we need to move away from both and are trying postgresql/citus to see if that will meet our needs. In the meantime I checked that all the certificates on both sides are valid so, I have no idea why I'm getting the "certificate expired" message. Val=C3=A8re Binet On Sat, Jun 21, 2025 at 1:29=E2=80=AFPM Jeff Janes w= rote: > On Fri, Jun 20, 2025 at 11:35=E2=80=AFAM Valere Binet > wrote: > >> Hi everyone, >> >> I'm completely new to postgresql and I'm struggling with its SSL >> configuration. >> >> ... >> > > >> The certificate chain has 4 certificates, 1 root, 1 intermediate signed >> by the root certificate, a second intermediate signed by the first one a= nd >> a server certificate signed bt the second intermediate certificate. I'll >> call it server. >> I also have a second server certificate also signed by the second >> intermediate certificate. I'll call it server2. >> > > You only describe having server certs, but the error message says a clien= t > cert is needed. You don't describe having any client certs. Maybe you a= re > trying to use a server cert as if it were a client cert, but that is > unlikely to work. The server cert needs the hostname of the server as a = CN > (or SAN), while a client cert needs the username of client (either ccid o= r > server2, not sure which) as the CN. > > >> hostssl all ccid all cert map=3Drafe >> > > This demands a client cert. Server certs are common. Client certs are > somewhat rare, are you sure you actually want those? If so, you will nee= d > to set yourself up with one. > > Cheers, > > Jeff > --000000000000eba9e506383cf3e2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Jeff,

Yes, you are correc= t, I use server certificates as these are the only ones I can get. The only= client certificates we can get are on our PIV cards. We need a client cert= ificate for our application but that is not available and we have to use a = server certificate.
If I understood the documentation correctly, = the map in pg_ident.conf matches the server2 certificate to the ccid postgr= esql account, right?
#map-n= ame system-username database-username<= /div>
rafe=C2=A0 =C2=A0 =C2=A0 se= rver2=C2=A0 =C2=A0 =C2=A0ccid

Just FYA, mongo doesn't like = it (warning in the logs) but lets us use a server certificate for the clien= t connections, cockroach doesn't care. For different reasons, we need t= o move away from both and are trying postgresql/citus to see if that will m= eet our needs.

In the meantime I checked that all = the certificates on both sides are valid so, I have no idea why I'm get= ting the "certificate expired" message.

= Val=C3=A8re Binet

On Sat, Jun 21, 2025 at 1:29= =E2=80=AFPM Jeff Janes <jeff.jan= es@gmail.com> wrote:
On Fri, Jun 20, 2025 at 11:35= =E2=80=AFAM Valere Binet <valere.binet@gmail.com> wrote:
Hi everyone,

I'm completely new to postg= resql and I'm struggling with its SSL configuration.

...
=C2=A0
The certificate chain has = 4 certificates, 1 root, 1 intermediate signed by the root certificate, a se= cond intermediate signed by the first one and a server certificate signed b= t the second intermediate certificate. I'll call it server.
I= also have a second server certificate also signed by the second intermedia= te certificate. I'll call it server2.

=
You only describe having server certs, but the=C2=A0error messag= e says a client cert is needed.=C2=A0 You don't describe having any cli= ent certs.=C2=A0 Maybe you are trying=C2=A0to use a server cert as if it we= re a client cert, but that is unlikely to work.=C2=A0 The server cert needs= the=C2=A0hostname of the server as a CN (or SAN), while a client cert need= s the username of client (either ccid or server2, not sure which) as the=C2= =A0CN.


hostssl all=C2=A0 =C2=A0ccid=C2= =A0 =C2=A0all=C2=A0 cert map=3Drafe

=
This demands a client cert.=C2=A0 Server certs are common.=C2=A0= Client certs are somewhat rare, are you sure you actually want those?=C2= =A0 If so, you will need to set yourself up with one.

<= div>=C2=A0Cheers,

Jeff
--000000000000eba9e506383cf3e2--