Re: could not accept ssl connection tlsv1 alert unknown ca

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Zwettler Markus (OIZ) <[email protected]>
To: Tom Lane <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
Date: Fri, 31 Jan 2025 09:07:13 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
References: <GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>
	<GV0P278MB009999F084B3BEE630C0AA8F8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>
	<GV0P278MB009904C70F516CBF0418805A8BE82@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>

On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:

> bash-4.4$ cat pg_hba.conf
> # Do not edit this file manually!
> # It will be overwritten by Patroni!
> local all "postgres" peer
> hostssl replication "_crunchyrepl" all cert
> hostssl "postgres" "_crunchyrepl" all cert
> host all "_crunchyrepl" all reject
> host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
> host all "ccp_monitoring" "::1/128" scram-sha-256
> host all "ccp_monitoring" all reject
> hostssl all all all md5

 From here:

https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES

"There are two approaches to enforce that users provide a certificate 
during login.

The first approach makes use of the cert authentication method for 
hostssl entries in pg_hba.conf, such that the certificate itself is used 
for authentication while also providing ssl connection security.

[...]

The second approach combines any authentication method for hostssl 
entries with the verification of client certificates by setting the 
clientcert authentication option to verify-ca or verify-full.  ...
"

Is the client having issues trying a connection that matches either of 
the lines below?:

hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert

> 
> 
> 

-- 
Adrian Klaver
[email protected]

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: could not accept ssl connection tlsv1 alert unknown ca
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox