public inbox for [email protected]
help / color / mirror / Atom feedFrom: Adrian Klaver <[email protected]>
To: Zwettler Markus (OIZ) <[email protected]>
To: Tom Lane <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
Date: Mon, 3 Feb 2025 08:09:32 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <GV0P278MB00997E04E572BE316E544B048BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
<[email protected]>
<GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
<[email protected]>
<GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
<[email protected]>
<GV0P278MB00998D54B2F868061D05BC178BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
<GV0P278MB00997E04E572BE316E544B048BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:
>> bash-4.4$ cat pg_hba.conf
>> # Do not edit this file manually!
>> # It will be overwritten by Patroni!
>> local all "postgres" peer
>> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
>> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8"
>> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all
>> "ccp_monitoring" all reject
>> hostssl all all all md5 <<== user connection matching this
>> line gives the error
>>
>>
>
>
> Seems that I found the root cause in the docs:
> "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured."
> https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> a CA is configured on the server and the client presents a client certificate.
>
>
> Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise?
> The docs only mention "verify-ca" and "verify-full".
> "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full."
> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>
From what I understand your client has to either not have the client
certificates or create them correctly.
--
Adrian Klaver
[email protected]
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox