Search Postgresql Archives

Re: Re: could not accept ssl connection tlsv1 alert unknown ca

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Ursprüngliche Nachricht-----
> Von: Adrian Klaver <adrian.klaver@xxxxxxxxxxx>
> Gesendet: Freitag, 31. Januar 2025 18:07
> An: Zwettler Markus (OIZ) <Markus.Zwettler@xxxxxxxxxx>; Tom Lane
> <tgl@xxxxxxxxxxxxx>; pgsql-general@xxxxxxxxxxxxxxxxxxxx
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
> 
> On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:
> 
> > bash-4.4$ cat pg_hba.conf
> > # Do not edit this file manually!
> > # It will be overwritten by Patroni!
> > local all "postgres" peer
> > hostssl replication "_crunchyrepl" all cert hostssl "postgres"
> > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all
> > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring"
> > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl
> > all all all md5
> 
>  From here:
> 
> https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> 
> "There are two approaches to enforce that users provide a certificate during login.
> 
> The first approach makes use of the cert authentication method for hostssl entries
> in pg_hba.conf, such that the certificate itself is used for authentication while also
> providing ssl connection security.
> 
> 
> [...]
> 
> The second approach combines any authentication method for hostssl entries with
> the verification of client certificates by setting the clientcert authentication option
> to verify-ca or verify-full.  ...
> "
> 
> Is the client having issues trying a connection that matches either of the lines
> below?:
> 
> replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
> cert
> 
> >
> >
> >
> 
> --
> Adrian Klaver
> adrian.klaver@xxxxxxxxxxx
> 



No, there are no errors with the lines mentioned. 

The error appears with a connection that matches the last line.



bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert 
hostssl "postgres" "_crunchyrepl" all cert 
host all "_crunchyrepl" all reject 
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 
host all "ccp_monitoring" "::1/128" scram-sha-256 
host all "ccp_monitoring" all reject 
hostssl all all all md5                                     <<== user connection matching this line gives the error
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux