On Wed, May 1, 2024 at 11:57 AM Thomas Spear <speeddy...@gmail.com> wrote: > It does fail to validate for case 4 after all. I must have had a copy/paste > error during past tests.
Okay, good. Glad it's behaving as expected! > So then it sounds like putting the MS root in root.crt (as we have done to > fix this) is the correct thing to do, and there's no issue. It doesn't seem > libpq will use the trusted roots that are typically located in either > /etc/ssl or /etc/pki so we have to provide the root in the path where libpq > expects it to be to get verify-full to work properly. Right. Versions 16 and later will let you use `sslrootcert=system` to load those /etc locations more easily, but if the MS root isn't in the system PKI stores and the server isn't sending the DigiCert chain then that probably doesn't help you. > Thanks for helping me to confirm this. I'll get a case open with MS regarding > the wrong root download from the portal in GovCloud. Happy to help! Have a good one, --Jacob
