public inbox for [email protected]
help / color / mirror / Atom feedRe: Re: could not accept ssl connection tlsv1 alert unknown ca
3+ messages / 2 participants
[nested] [flat]
* Re: Re: could not accept ssl connection tlsv1 alert unknown ca
@ 2025-02-03 10:14 Zwettler Markus (OIZ) <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Zwettler Markus (OIZ) @ 2025-02-03 10:14 UTC (permalink / raw)
To: Adrian Klaver <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>
> -----Ursprüngliche Nachricht-----
> Von: Zwettler Markus (OIZ) <[email protected]>
> Gesendet: Montag, 3. Februar 2025 09:37
> An: Adrian Klaver <[email protected]>; Tom Lane
> <[email protected]>; [email protected]
> Betreff: Re: Re: could not accept ssl connection tlsv1 alert unknown ca
>
> > -----Ursprüngliche Nachricht-----
> > Von: Adrian Klaver <[email protected]>
> > Gesendet: Freitag, 31. Januar 2025 18:07
> > An: Zwettler Markus (OIZ) <[email protected]>; Tom Lane
> > <[email protected]>; [email protected]
> > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert
> > unknown ca
> >
> > On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:
> >
> > > bash-4.4$ cat pg_hba.conf
> > > # Do not edit this file manually!
> > > # It will be overwritten by Patroni!
> > > local all "postgres" peer
> > > hostssl replication "_crunchyrepl" all cert hostssl "postgres"
> > > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all
> > > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring"
> > > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl
> > > all all all md5
> >
> > From here:
> >
> > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATE
> > S
> >
> > "There are two approaches to enforce that users provide a certificate during
> login.
> >
> > The first approach makes use of the cert authentication method for
> > hostssl entries in pg_hba.conf, such that the certificate itself is
> > used for authentication while also providing ssl connection security.
> >
> >
> > [...]
> >
> > The second approach combines any authentication method for hostssl
> > entries with the verification of client certificates by setting the
> > clientcert authentication option to verify-ca or verify-full. ...
> > "
> >
> > Is the client having issues trying a connection that matches either of
> > the lines
> > below?:
> >
> > replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl"
> > all cert
> >
> > >
> > >
> > >
> >
> > --
> > Adrian Klaver
> > [email protected]
> >
>
>
>
> No, there are no errors with the lines mentioned.
>
> The error appears with a connection that matches the last line.
>
>
>
> bash-4.4$ cat pg_hba.conf
> # Do not edit this file manually!
> # It will be overwritten by Patroni!
> local all "postgres" peer
> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8"
> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all
> "ccp_monitoring" all reject
> hostssl all all all md5 <<== user connection matching this
> line gives the error
>
>
Seems that I found the root cause in the docs:
"When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured."
https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
a CA is configured on the server and the client presents a client certificate.
Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise?
The docs only mention "verify-ca" and "verify-full".
"In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full."
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: could not accept ssl connection tlsv1 alert unknown ca
@ 2025-02-03 16:09 Adrian Klaver <[email protected]>
parent: Zwettler Markus (OIZ) <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Adrian Klaver @ 2025-02-03 16:09 UTC (permalink / raw)
To: Zwettler Markus (OIZ) <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>
On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:
>> bash-4.4$ cat pg_hba.conf
>> # Do not edit this file manually!
>> # It will be overwritten by Patroni!
>> local all "postgres" peer
>> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
>> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8"
>> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all
>> "ccp_monitoring" all reject
>> hostssl all all all md5 <<== user connection matching this
>> line gives the error
>>
>>
>
>
> Seems that I found the root cause in the docs:
> "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured."
> https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> a CA is configured on the server and the client presents a client certificate.
>
>
> Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise?
> The docs only mention "verify-ca" and "verify-full".
> "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full."
> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>
From what I understand your client has to either not have the client
certificates or create them correctly.
--
Adrian Klaver
[email protected]
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: could not accept ssl connection tlsv1 alert unknown ca
@ 2025-02-03 16:44 Adrian Klaver <[email protected]>
parent: Adrian Klaver <[email protected]>
0 siblings, 0 replies; 3+ messages in thread
From: Adrian Klaver @ 2025-02-03 16:44 UTC (permalink / raw)
To: Zwettler Markus (OIZ) <[email protected]>; Tom Lane <[email protected]>; [email protected] <[email protected]>
On 2/3/25 08:09, Adrian Klaver wrote:
> On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:
>> Is it possible to configure "clientcert=disable" in pg_hba.conf or
>> disable the client verification otherwise?
>> The docs only mention "verify-ca" and "verify-full".
>> "In addition to the method-specific options listed below, there is a
>> method-independent authentication option clientcert, which can be
>> specified in any hostssl record. This option can be set to verify-ca
>> or verify-full."
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
>>
>
> From what I understand your client has to either not have the client
> certificates or create them correctly.
>
To follow up from here:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/be-secure-openssl.c;h...
/*
* Always ask for SSL client cert, but don't fail if it's not
* presented. We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
SSL_CTX_set_verify(context,
(SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE),
verify_cb);
--
Adrian Klaver
[email protected]
^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2025-02-03 16:44 UTC | newest]
Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-02-03 10:14 Re: Re: could not accept ssl connection tlsv1 alert unknown ca Zwettler Markus (OIZ) <[email protected]>
2025-02-03 16:09 ` Adrian Klaver <[email protected]>
2025-02-03 16:44 ` Adrian Klaver <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox