On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:
bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
host all "_crunchyrepl" all reject
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
host all "ccp_monitoring" "::1/128" scram-sha-256
host all "ccp_monitoring" all reject
hostssl all all all md5
From here:
https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
"There are two approaches to enforce that users provide a certificate
during login.
The first approach makes use of the cert authentication method for
hostssl entries in pg_hba.conf, such that the certificate itself is used
for authentication while also providing ssl connection security.
[...]
The second approach combines any authentication method for hostssl
entries with the verification of client certificates by setting the
clientcert authentication option to verify-ca or verify-full. ...
"
Is the client having issues trying a connection that matches either of
the lines below?:
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
