A recent complaint in pgsql-novice revealed that if you have say
hostssl all all 127.0.0.1/32 md5 clientcert=1
in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
you get something like this:
LOG: client certificates can only be checked if a root certificate store is available
HINT: Make sure the root.crt file is present and readable.
CONTEXT: line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf"
LOG: client certificates can only be checked if a root certificate store is available
HINT: Make sure the root.crt file is present and readable.
CONTEXT: line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf"
FATAL: could not load pg_hba.conf
Needless to say, this is pretty unhelpful, especially if you actually do
have a root.crt file.
I'm inclined to think that the correct fix is to make parse_hba_line,
where it first realizes the line is "hostssl", check not only that SSL
support is compiled but that it's turned on. Is it really sensible to
allow hostssl lines in pg_hba.conf when SSL is turned off? At best
they are no-ops, and at worst they're going to result in weird failures
like this one.
regards, tom lane