| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Thomas Spear <speeddymon(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: TLS certificate alternate trust paths issue in libpq - certificate chain validation failing |
| Date: | 2024-05-01 19:18:41 |
| Message-ID: | CAOYmi+nM5CDQPLJ7ktx_yukj71NG4tJg5HY_g_QJBAzWX5WUcQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, May 1, 2024 at 11:57 AM Thomas Spear <speeddymon(at)gmail(dot)com> wrote:
> It does fail to validate for case 4 after all. I must have had a copy/paste error during past tests.
Okay, good. Glad it's behaving as expected!
> So then it sounds like putting the MS root in root.crt (as we have done to fix this) is the correct thing to do, and there's no issue. It doesn't seem libpq will use the trusted roots that are typically located in either /etc/ssl or /etc/pki so we have to provide the root in the path where libpq expects it to be to get verify-full to work properly.
Right. Versions 16 and later will let you use `sslrootcert=system` to
load those /etc locations more easily, but if the MS root isn't in the
system PKI stores and the server isn't sending the DigiCert chain then
that probably doesn't help you.
> Thanks for helping me to confirm this. I'll get a case open with MS regarding the wrong root download from the portal in GovCloud.
Happy to help!
Have a good one,
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitry Koval | 2024-05-01 19:51:24 | Re: Add SPLIT PARTITION/MERGE PARTITIONS commands |
| Previous Message | Robert Haas | 2024-05-01 19:07:57 | Re: Query Discrepancy in Postgres HLL Test |