Re: could not accept ssl connection tlsv1 alert unknown ca

On 2/3/25 08:09, Adrian Klaver wrote: On 2/3/25 02:14, Zwettler Markus (OIZ) wrote: Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise? The docs only mention "verify-ca" and "verify-full". "In addition to the method-specific options li

Re: could not accept ssl connection tlsv1 alert unknown ca

On 2/3/25 02:14, Zwettler Markus (OIZ) wrote: bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host

Re: Re: could not accept ssl connection tlsv1 alert unknown ca

> -Ursprüngliche Nachricht- > Von: Zwettler Markus (OIZ) > Gesendet: Montag, 3. Februar 2025 09:37 > An: Adrian Klaver ; Tom Lane > ; pgsql-general@lists.postgresql.org > Betreff: Re: Re: could not accept ssl connection tlsv1 alert unknown ca > > > -

Re: Re: could not accept ssl connection tlsv1 alert unknown ca

> -Ursprüngliche Nachricht- > Von: Adrian Klaver > Gesendet: Freitag, 31. Januar 2025 18:07 > An: Zwettler Markus (OIZ) ; Tom Lane > ; pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/2

Re: could not accept ssl connection tlsv1 alert unknown ca

On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host

Re: Re: could not accept ssl connection tlsv1 alert unknown ca

> -Ursprüngliche Nachricht- > Von: Adrian Klaver > Gesendet: Freitag, 31. Januar 2025 17:37 > An: Zwettler Markus (OIZ) ; Tom Lane > ; pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/2

Re: could not accept ssl connection tlsv1 alert unknown ca

On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: Von: Tom Lane Those cause some additional checks to be made, but it's not like you can expect a completely broken certificate to work without them. regards, tom lane I don't understand why Postgres does a certificat

Re: Re: could not accept ssl connection tlsv1 alert unknown ca

> Von: Tom Lane > Gesendet: Donnerstag, 30. Januar 2025 18:51 > An: Zwettler Markus (OIZ) > Cc: pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > "Zwettler Markus (OIZ)" writes: > > How

Re: could not accept ssl connection tlsv1 alert unknown ca

"Zwettler Markus (OIZ)" writes: > However, one client also configured some client certificates + > "sslmode=prefer" which resulted in "could not accept ssl connection tlsv1 > alert unknown ca". I'm no expert, but I think this typically means a m

could not accept ssl connection tlsv1 alert unknown ca

nfigured some client certificates + "sslmode=prefer" which resulted in "could not accept ssl connection tlsv1 alert unknown ca". I always thought that Postgres does only validate certificates with "sslmode=verify-ca" and "sslmode=verify-full" => https://www.postgresql.org/docs/current/libpq-ssl.html Did I get something wrong?