Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
| От | Adrian Klaver |
|---|---|
| Тема | Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca |
| Дата | |
| Msg-id | 8893f1fe-ef95-47b7-83ce-858ec8366110@aklaver.com обсуждение исходный текст |
| Ответ на | Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca ("Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>) |
| Список | pgsql-general |
On 2/3/25 02:14, Zwettler Markus (OIZ) wrote: >> bash-4.4$ cat pg_hba.conf >> # Do not edit this file manually! >> # It will be overwritten by Patroni! >> local all "postgres" peer >> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all >> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" >> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all >> "ccp_monitoring" all reject >> hostssl all all all md5 <<== user connection matching this >> line gives the error >> >> > > > Seems that I found the root cause in the docs: > "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificateis presented and the CA is configured." > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES > a CA is configured on the server and the client presents a client certificate. > > > Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise? > The docs only mention "verify-ca" and "verify-full". > "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert,which can be specified in any hostssl record. This option can be set to verify-ca or verify-full." > https://www.postgresql.org/docs/current/auth-pg-hba-conf.html > From what I understand your client has to either not have the client certificates or create them correctly. -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-general по дате отправления: