Susan Joseph
sandajoseph@xxxxxxxxxxx
sandajoseph@xxxxxxxxxxx
-----Original Message-----
From: Stephen Frost <sfrost@xxxxxxxxxxx>
To: Susan Joseph <sandajoseph@xxxxxxxxxxx>
Cc: pgsql-general@xxxxxxxxxxxxxx <pgsql-general@xxxxxxxxxxxxxx>
Sent: Thu, Sep 3, 2020 9:12 am
Subject: Re: SSL between Primary and Seconday PostgreSQL DBs
Greetings,
* Susan Joseph (sandajoseph@xxxxxxxxxxx) wrote:
> So I made the changes on the secondary to change the sslmode to verify-fullI removed the clientcert=1 in pg_hba.conf and removed any connections other than sslI removed the passfile info from recovery.confand now I am getting this error:
> 2020-09-03 13:01:49.990 UTC [7963] FATAL: could not connect to the primary server: server certificate for "lc-subca-pg.theforest.sap" does not match host name "192.168.1.142"
>>Yes, as I explained, because of exactly the issue that the host you've
>>told your secondary to connect to (looks like 192.168.1.142) doesn't
>>match the certificate presented by the primary (which looks to be
>>"lc-subca-pg.theforest.sap").
From: Stephen Frost <sfrost@xxxxxxxxxxx>
To: Susan Joseph <sandajoseph@xxxxxxxxxxx>
Cc: pgsql-general@xxxxxxxxxxxxxx <pgsql-general@xxxxxxxxxxxxxx>
Sent: Thu, Sep 3, 2020 9:12 am
Subject: Re: SSL between Primary and Seconday PostgreSQL DBs
Greetings,
* Susan Joseph (sandajoseph@xxxxxxxxxxx) wrote:
> So I made the changes on the secondary to change the sslmode to verify-fullI removed the clientcert=1 in pg_hba.conf and removed any connections other than sslI removed the passfile info from recovery.confand now I am getting this error:
> 2020-09-03 13:01:49.990 UTC [7963] FATAL: could not connect to the primary server: server certificate for "lc-subca-pg.theforest.sap" does not match host name "192.168.1.142"
>>Yes, as I explained, because of exactly the issue that the host you've
>>told your secondary to connect to (looks like 192.168.1.142) doesn't
>>match the certificate presented by the primary (which looks to be
>>"lc-subca-pg.theforest.sap").
OK so I fixed that in my recovery.conf file so it is not set to the IP but to the FQDN and it is no longer throwing this error.
>>The answer is to make those two match.
Thanks,
Stephen
Thanks,
Stephen
