Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tez12-00GlZP-WA
	for pgsql-general@arkaria.postgresql.org; Mon, 03 Feb 2025 16:09:41 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tez11-00Ept4-Vy
	for pgsql-general@arkaria.postgresql.org; Mon, 03 Feb 2025 16:09:40 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tez10-00Epsw-Gf
	for pgsql-general@lists.postgresql.org; Mon, 03 Feb 2025 16:09:39 +0000
Received: from fout-a7-smtp.messagingengine.com ([103.168.172.150])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tez0x-002yEu-2b
	for pgsql-general@lists.postgresql.org;
	Mon, 03 Feb 2025 16:09:37 +0000
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
	by mailfout.phl.internal (Postfix) with ESMTP id 29D5A1380208;
	Mon,  3 Feb 2025 11:09:35 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-01.internal (MEProxy); Mon, 03 Feb 2025 11:09:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1738598975;
	 x=1738685375; bh=kud6QShN0HKWyJ4C9efmz6NvmpJm/6Z+0U/PdUECMOU=; b=
	grgKuILbqbuFb6uEpIMaBpZfCLqn9ZcewuNh57yMxQtXzskjIhXBrnInZdVT+ew7
	ty9Eq4tjcdk+r44vzv65if4lbGjsAzdVprv4yfCOP1MgHnCsPfrG6NGPQ8QPdxAH
	s4frkfs0gIE4MDWjE3oDa03I5F3tuOWzrFEveJrMAQE1qoRWf+yJxqilZix2nA9w
	x9vHr1mCIGI7qFaockkNhwpQrBwzmR7HrBZ46DZyOqfQXC+aR5oBemZ3r1gCtmCM
	n36IGzOIET42l1M4/PY0qERIEVkW3K2Q0AFNuaZeLKuavIzMA5xHwfh/YjG8dt0X
	mpK/gWGkV6wehgHd9Vb77A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm3; t=1738598975; x=1738685375; bh=k
	ud6QShN0HKWyJ4C9efmz6NvmpJm/6Z+0U/PdUECMOU=; b=zFaLaic6pq0/V7aY+
	lRCmYVJM6NtTpvuIIYnqS3X/CmmKqEANFpIU2q/e1ixjVDktbNg6mHTxh/SGHEKN
	AvTBXJ1APdgDtTYhKWiAWFke0xHkfdzsIxuSl4ce09G74BWft6pVSByMqZd4RG6z
	OXPJTyrGKm7gqJ2m5rBeagBKBMbam+JS67NRZLWI11v56C4eb8hwkCHkf9UkPOvb
	SPfxdAl7W7QUJOwCoHJPaPSLsWbTmodpIUoAmrStO63bieO8iZ7MxVch/vPKCGv2
	YeT5ujcJyV+tFqugdgA7AX9PzD9d+DdlLe/WoN0kiqdDtEq2qh9RF18Ny85eEVpJ
	H65RA==
X-ME-Sender: <xms:PeqgZ-CK6ep7d8tSBdJxvXrJMgnlFn0w8HUn2rWN6dEvtpzCQakqgA>
    <xme:PeqgZ4h9q2aMDBZpmSSFySWPMpBFdbDq_Y62VHtMCCyNN5dJ1SEmQvW3vSRb10R_E
    -hD1PtKEVyKLEk>
X-ME-Received: <xmr:PeqgZxn7jGqXHLuMBv48-8a0GDTo2ZuAWYYuiFdVcq8-9Tm4idhcEWUANWGnvhk0j521OVYuEIFog88YBIOj9SJk9jx4m0ao>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukedthecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg
    hnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtvdej
    necuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrh
    esrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepkeefheduvdejiefgieef
    jedtudduffelvdefleehfedtieffuefgvdekleegtddvnecuffhomhgrihhnpehpohhsth
    hgrhgvshhqlhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr
    ihhlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsg
    gprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmrghrkhhu
    shdriiifvghtthhlvghrseiiuhgvrhhitghhrdgthhdprhgtphhtthhopehtghhlsehssh
    hsrdhpghhhrdhprgdruhhspdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlheslhhi
    shhtshdrphhoshhtghhrvghsqhhlrdhorhhg
X-ME-Proxy: <xmx:PeqgZ8zLjnXXnz-ZCzpLUTJEkBgVNhSD8fMpPTpSnzBosVbpx6w2Cg>
    <xmx:PeqgZzTSOV3HCumY7Ixpz7Iu-5pAP11JYBMl54QcUEwhh-eIMkQe-w>
    <xmx:PeqgZ3bUTwUuKZq1D1Vyr4-t5nwrZLY1dp15a8Fh-cjDqXO14ks89g>
    <xmx:PeqgZ8QLRZ8rPpurCMiDv1ccU4xZDW1FTCdrAJuPc0s-zRGpBV9FxQ>
    <xmx:P-qgZ9cS9iia_hQ19ICtneKMkfesSZ_abk7T2S7BpxzSAYZznhrulsSi>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 3 Feb 2025 11:09:33 -0500 (EST)
Message-ID: <8893f1fe-ef95-47b7-83ce-858ec8366110@aklaver.com>
Date: Mon, 3 Feb 2025 08:09:32 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
To: "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>,
 Tom Lane <tgl@sss.pgh.pa.us>,
 "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <3294022.1738259448@sss.pgh.pa.us>
 <GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <c405c2ba-c0db-453d-909e-d3e893b9d94b@aklaver.com>
 <GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <d3d3353a-f25a-4571-88a7-171aa228a8b2@aklaver.com>
 <GV0P278MB00998D54B2F868061D05BC178BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <GV0P278MB00997E04E572BE316E544B048BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <GV0P278MB00997E04E572BE316E544B048BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/8893f1fe-ef95-47b7-83ce-858ec8366110%40aklaver.com>
Precedence: bulk

On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:

>> bash-4.4$ cat pg_hba.conf
>> # Do not edit this file manually!
>> # It will be overwritten by Patroni!
>> local all "postgres" peer
>> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
>> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8"
>> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all
>> "ccp_monitoring" all reject
>> hostssl all all all md5                                     <<== user connection matching this
>> line gives the error
>>
>>
> 
> 
> Seems that I found the root cause in the docs:
> "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured."
> https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> a CA is configured on the server and the client presents a client certificate.
> 
> 
> Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise?
> The docs only mention "verify-ca" and "verify-full".
> "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full."
> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>

 From what I understand your client has to either not have the client 
certificates or create them correctly.

-- 
Adrian Klaver
adrian.klaver@aklaver.com