On 2/3/25 02:14, Zwettler Markus (OIZ) wrote:
bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8"
scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all
"ccp_monitoring" all reject
hostssl all all all md5 <<== user connection matching this
line gives the error
Seems that I found the root cause in the docs:
"When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured."
https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
a CA is configured on the server and the client presents a client certificate.
Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise?
The docs only mention "verify-ca" and "verify-full".
"In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full."
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
From what I understand your client has to either not have the client
certificates or create them correctly.
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
