Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sKhPB-00Bf5j-7v
	for pgsql-general@arkaria.postgresql.org; Fri, 21 Jun 2024 16:46:29 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sKhP8-005HBl-TD
	for pgsql-general@arkaria.postgresql.org; Fri, 21 Jun 2024 16:46:27 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sKhP8-005HBd-Hl
	for pgsql-general@lists.postgresql.org; Fri, 21 Jun 2024 16:46:26 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sKhP6-002rCr-Q3
	for pgsql-general@postgresql.org; Fri, 21 Jun 2024 16:46:26 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 45LGkMm2603292;
	Fri, 21 Jun 2024 12:46:22 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Drew Zoellner <drewtzoellner@gmail.com>
cc: pgsql-general@postgresql.org, postgres@thewickedtribe.net
Subject: Re: Replication using mTLS issue
In-reply-to: <CAGWxRFfWbD3NNJcpiPA6+g+UYRHAmD6Z4+rQaHoNi5+EEt1gOg@mail.gmail.com>
References: <CAGWxRFfWbD3NNJcpiPA6+g+UYRHAmD6Z4+rQaHoNi5+EEt1gOg@mail.gmail.com>
Comments: In-reply-to Drew Zoellner <drewtzoellner@gmail.com>
	message dated "Thu, 20 Jun 2024 10:15:58 -0500"
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-ID: <603290.1718988382.1@sss.pgh.pa.us>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 21 Jun 2024 12:46:22 -0400
Message-ID: <603291.1718988382@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/603291.1718988382%40sss.pgh.pa.us>
Precedence: bulk

Drew Zoellner <drewtzoellner@gmail.com> writes:
> Hi Postgres team, I=E2=80=99m receiving an issue matching pg_hba rules t=
hat I can=E2=80=99t
> seem to sort out. I am trying to use mtls certificate authentication for
> physical replication connections but keep receiving the following error=E2=
=80=A6

> pg_receivewal: error: FATAL:  no pg_hba.conf entry for replication
> connection from host "100.84.12.223", user "pgrepmgr_nonprod", SSL on

> My pg_hba.conf file contains
> 	hostssl replication pgrepmgr_nonprod 100.0.0.0/8 cert map=3Dpgrepmgr_no=
nprod_map

Hm, the match failure must be on user name.  What certificate are you
using on the client side, and what user name does pgrepmgr_nonprod_map
map it to?  Does it succeed if you weaken the hba entry to

	hostssl replication all 100.0.0.0/8 cert map=3Dpgrepmgr_nonprod_map

> Is cert authentication supported for replication connections?

Should be.  But you might find it easier to debug the auth failure
in a non-replication context, ie add

	hostssl all pgrepmgr_nonprod 100.0.0.0/8 cert map=3Dpgrepmgr_nonprod_map

and then see if you can connect with the same credentials from psql
or your favorite other client.

BTW, don't forget you have to signal the postmaster to reload
configuration after any change in these files.

			regards, tom lane