Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tduUB-00AaIW-TX for pgsql-general@arkaria.postgresql.org; Fri, 31 Jan 2025 17:07:20 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tduUA-001pNi-Pl for pgsql-general@arkaria.postgresql.org; Fri, 31 Jan 2025 17:07:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tduUA-001pNZ-FK for pgsql-general@lists.postgresql.org; Fri, 31 Jan 2025 17:07:18 +0000 Received: from fout-a3-smtp.messagingengine.com ([103.168.172.146]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tduU7-002UrB-2u for pgsql-general@lists.postgresql.org; Fri, 31 Jan 2025 17:07:17 +0000 Received: from phl-compute-08.internal (phl-compute-08.phl.internal [10.202.2.48]) by mailfout.phl.internal (Postfix) with ESMTP id 0B96D13801B9; Fri, 31 Jan 2025 12:07:15 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-08.internal (MEProxy); Fri, 31 Jan 2025 12:07:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1738343235; x=1738429635; bh=H4zrcswM6mQSfd+bajEE/zsR2uNT/1P55QrNT0jR92U=; b= E7UjxPiClNEsDlRlKMkX53bc9KjEgdL+oFfOl7co5pOCkdu0B2Uc0R054BULynK2 t2FRxOm4v5vOuO3Avas43PHcC/78TRaxuzvPesNWOFiAB5MTb2QDB7F8TGpY/ioj QGaDrQt7rjojmw8F1IjHkbMRPlCMXxkC/zdlevJGFIkPJyUWW04bSrf8p3SBLG9D TmkRje3h12OvJ3IM9YlVbR8aP3mP2FWZp5zY4DbkEiXWrdGt1V17S/v4J39Cex7y DQecT60SYhrISx4Ns4lRvBktegrZxEEd7Yh1IuUKk04BzThYitX/v7Nn51BCYLcv cqCCCOVzYtf0fBBL+XC0eg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1738343235; x=1738429635; bh=H 4zrcswM6mQSfd+bajEE/zsR2uNT/1P55QrNT0jR92U=; b=CSXfUacFG2IZVlaeC XBkId2XSPODTq/nvD5nj965MNRsxgxwKP6aXKJsdNe7LBgN4ii6Mfqogx+a2+kKq OHW8CPnhJfIDOadjgblH8/UBL/uwLqtzR1No1hxOr2at7w9XggZ0hrQM0hQVy1MX 9HfxNDKd0pcoE2DkvgQ2vL2ebToSsZYGfxdDzBgsvs4E8vHZwgES/8xwqflHlrUp nNHpB0Y+q+n31dAmRfFTemfUkSS32XS20ya+MlDRWeivFSNKPh0/FdLGeyy98AwE GuZpSqRluS0l4r7qPDRYAw+t0vfP90HQ4idct+10sGCNL1SjA5QdXIKPuzLUO8Qw UauRg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdelfeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthejredttddvjeen ucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrse grkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeekfeehuddvjeeigfeifeej tdduudffledvfeelheeftdeiffeugfdvkeelgedtvdenucffohhmrghinhepphhoshhtgh hrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghi lhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspg hrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepmhgrrhhkuhhs rdiifigvthhtlhgvrhesiihuvghrihgthhdrtghhpdhrtghpthhtohepthhglhesshhssh drphhghhdrphgrrdhushdprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrghlsehlihhs thhsrdhpohhsthhgrhgvshhqlhdrohhrgh X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 31 Jan 2025 12:07:14 -0500 (EST) Message-ID: Date: Fri, 31 Jan 2025 09:07:13 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: could not accept ssl connection tlsv1 alert unknown ca To: "Zwettler Markus (OIZ)" , Tom Lane , "pgsql-general@lists.postgresql.org" References: <3294022.1738259448@sss.pgh.pa.us> Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: > bash-4.4$ cat pg_hba.conf > # Do not edit this file manually! > # It will be overwritten by Patroni! > local all "postgres" peer > hostssl replication "_crunchyrepl" all cert > hostssl "postgres" "_crunchyrepl" all cert > host all "_crunchyrepl" all reject > host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 > host all "ccp_monitoring" "::1/128" scram-sha-256 > host all "ccp_monitoring" all reject > hostssl all all all md5 From here: https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES "There are two approaches to enforce that users provide a certificate during login. The first approach makes use of the cert authentication method for hostssl entries in pg_hba.conf, such that the certificate itself is used for authentication while also providing ssl connection security. [...] The second approach combines any authentication method for hostssl entries with the verification of client certificates by setting the clientcert authentication option to verify-ca or verify-full. ... " Is the client having issues trying a connection that matches either of the lines below?: hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert > > > -- Adrian Klaver adrian.klaver@aklaver.com