Re: could not accept ssl connection tlsv1 alert unknown ca

On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:

> bash-4.4$ cat pg_hba.conf
> # Do not edit this file manually!
> # It will be overwritten by Patroni!
> local all "postgres" peer
> hostssl replication "_crunchyrepl" all cert
> hostssl "postgres" "_crunchyrepl" all cert
> host all "_crunchyrepl" all reject
> host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256
> host all "ccp_monitoring" "::1/128" scram-sha-256
> host all "ccp_monitoring" all reject
> hostssl all all all md5

From here:

https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES

"There are two approaches to enforce that users provide a certificate
during login.

The first approach makes use of the cert authentication method for
hostssl entries in pg_hba.conf, such that the certificate itself is used
for authentication while also providing ssl connection security.

[...]

The second approach combines any authentication method for hostssl
entries with the verification of client certificates by setting the
clientcert authentication option to verify-ca or verify-full. ...
"

Is the client having issues trying a connection that matches either of
the lines below?:

hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert

>
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com