> -----Ursprüngliche Nachricht----- > Von: Zwettler Markus (OIZ) <markus.zwett...@zuerich.ch> > Gesendet: Montag, 3. Februar 2025 09:37 > An: Adrian Klaver <adrian.kla...@aklaver.com>; Tom Lane > <t...@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org > Betreff: Re: Re: could not accept ssl connection tlsv1 alert unknown ca > > > -----Ursprüngliche Nachricht----- > > Von: Adrian Klaver <adrian.kla...@aklaver.com> > > Gesendet: Freitag, 31. Januar 2025 18:07 > > An: Zwettler Markus (OIZ) <markus.zwett...@zuerich.ch>; Tom Lane > > <t...@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org > > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert > > unknown ca > > > > On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: > > > > > bash-4.4$ cat pg_hba.conf > > > # Do not edit this file manually! > > > # It will be overwritten by Patroni! > > > local all "postgres" peer > > > hostssl replication "_crunchyrepl" all cert hostssl "postgres" > > > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all > > > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" > > > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl > > > all all all md5 > > > > From here: > > > > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATE > > S > > > > "There are two approaches to enforce that users provide a certificate during > login. > > > > The first approach makes use of the cert authentication method for > > hostssl entries in pg_hba.conf, such that the certificate itself is > > used for authentication while also providing ssl connection security. > > > > > > [...] > > > > The second approach combines any authentication method for hostssl > > entries with the verification of client certificates by setting the > > clientcert authentication option to verify-ca or verify-full. ... > > " > > > > Is the client having issues trying a connection that matches either of > > the lines > > below?: > > > > replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" > > all cert > > > > > > > > > > > > > > > -- > > Adrian Klaver > > adrian.kla...@aklaver.com > > > > > > No, there are no errors with the lines mentioned. > > The error appears with a connection that matches the last line. > > > > bash-4.4$ cat pg_hba.conf > # Do not edit this file manually! > # It will be overwritten by Patroni! > local all "postgres" peer > hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" > all > cert host all "_crunchyrepl" all reject host all "ccp_monitoring" > "127.0.0.0/8" > scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all > "ccp_monitoring" all reject > hostssl all all all md5 <<== user > connection matching this > line gives the error > >
Seems that I found the root cause in the docs: "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured." https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES a CA is configured on the server and the client presents a client certificate. Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise? The docs only mention "verify-ca" and "verify-full". "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full." https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
