Re: FATAL: connection requires a valid client certificate

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Jeff Janes <[email protected]>
To: Valere Binet <[email protected]>
Cc: [email protected]
Subject: Re: FATAL: connection requires a valid client certificate
Date: Sat, 21 Jun 2025 13:28:55 -0400
Message-ID: <CAMkU=1zRyvPOuLGuEC_jQqZgbCmhMHLjVVQDD7NqQgPs2BtLig@mail.gmail.com> (raw)
In-Reply-To: <CAJn2Pj=dTF=LpYiO9SyyKQoyrDEMO=UeQxb+br4qmuAYpVUU5A@mail.gmail.com>
References: <CAJn2Pj=dTF=LpYiO9SyyKQoyrDEMO=UeQxb+br4qmuAYpVUU5A@mail.gmail.com>

On Fri, Jun 20, 2025 at 11:35 AM Valere Binet <[email protected]>
wrote:

> Hi everyone,
>
> I'm completely new to postgresql and I'm struggling with its SSL
> configuration.
>
> ...
>

> The certificate chain has 4 certificates, 1 root, 1 intermediate signed by
> the root certificate, a second intermediate signed by the first one and a
> server certificate signed bt the second intermediate certificate. I'll call
> it server.
> I also have a second server certificate also signed by the second
> intermediate certificate. I'll call it server2.
>

You only describe having server certs, but the error message says a client
cert is needed.  You don't describe having any client certs.  Maybe you are
trying to use a server cert as if it were a client cert, but that is
unlikely to work.  The server cert needs the hostname of the server as a CN
(or SAN), while a client cert needs the username of client (either ccid or
server2, not sure which) as the CN.

> hostssl all   ccid   all  cert map=rafe
>

This demands a client cert.  Server certs are common.  Client certs are
somewhat rare, are you sure you actually want those?  If so, you will need
to set yourself up with one.

 Cheers,

Jeff

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: FATAL: connection requires a valid client certificate
  In-Reply-To: <CAMkU=1zRyvPOuLGuEC_jQqZgbCmhMHLjVVQDD7NqQgPs2BtLig@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox