| From: | Valere Binet <valere(dot)binet(at)gmail(dot)com> |
|---|---|
| To: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: FATAL: connection requires a valid client certificate |
| Date: | 2025-06-23 13:11:30 |
| Message-ID: | CAJn2Pjmd8krhnT8cFFYPB7XXG6ik96JrAeE+D7uL1oXKhc4JSQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hi Jeff,
Yes, you are correct, I use server certificates as these are the only ones
I can get. The only client certificates we can get are on our PIV cards. We
need a client certificate for our application but that is not available and
we have to use a server certificate.
If I understood the documentation correctly, the map in pg_ident.conf
matches the server2 certificate to the ccid postgresql account, right?
#*map-name* *system-username* *database-username*
*rafe server2 ccid*
Just FYA, mongo doesn't like it (warning in the logs) but lets us use a
server certificate for the client connections, cockroach doesn't care. For
different reasons, we need to move away from both and are trying
postgresql/citus to see if that will meet our needs.
In the meantime I checked that all the certificates on both sides are valid
so, I have no idea why I'm getting the "certificate expired" message.
Valère Binet
On Sat, Jun 21, 2025 at 1:29 PM Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
> On Fri, Jun 20, 2025 at 11:35 AM Valere Binet <valere(dot)binet(at)gmail(dot)com>
> wrote:
>
>> Hi everyone,
>>
>> I'm completely new to postgresql and I'm struggling with its SSL
>> configuration.
>>
>> ...
>>
>
>
>> The certificate chain has 4 certificates, 1 root, 1 intermediate signed
>> by the root certificate, a second intermediate signed by the first one and
>> a server certificate signed bt the second intermediate certificate. I'll
>> call it server.
>> I also have a second server certificate also signed by the second
>> intermediate certificate. I'll call it server2.
>>
>
> You only describe having server certs, but the error message says a client
> cert is needed. You don't describe having any client certs. Maybe you are
> trying to use a server cert as if it were a client cert, but that is
> unlikely to work. The server cert needs the hostname of the server as a CN
> (or SAN), while a client cert needs the username of client (either ccid or
> server2, not sure which) as the CN.
>
>
>> hostssl all ccid all cert map=rafe
>>
>
> This demands a client cert. Server certs are common. Client certs are
> somewhat rare, are you sure you actually want those? If so, you will need
> to set yourself up with one.
>
> Cheers,
>
> Jeff
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Ribe | 2025-06-23 17:29:50 | Re: update behavior |
| Previous Message | Rui DeSousa | 2025-06-22 17:51:06 | Re: pg_restore Question |