Re: FATAL: connection requires a valid client certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jeff,

Yes, you are correct, I use server certificates as these are the only ones I can get. The only client certificates we can get are on our PIV cards. We need a client certificate for our application but that is not available and we have to use a server certificate.
If I understood the documentation correctly, the map in pg_ident.conf matches the server2 certificate to the ccid postgresql account, right?
#map-name system-username database-username
rafe      server2     ccid

Just FYA, mongo doesn't like it (warning in the logs) but lets us use a server certificate for the client connections, cockroach doesn't care. For different reasons, we need to move away from both and are trying postgresql/citus to see if that will meet our needs.

In the meantime I checked that all the certificates on both sides are valid so, I have no idea why I'm getting the "certificate expired" message.

Valère Binet

On Sat, Jun 21, 2025 at 1:29 PM Jeff Janes <jeff.janes@xxxxxxxxx> wrote:
On Fri, Jun 20, 2025 at 11:35 AM Valere Binet <valere.binet@xxxxxxxxx> wrote:
Hi everyone,

I'm completely new to postgresql and I'm struggling with its SSL configuration.

...
 
The certificate chain has 4 certificates, 1 root, 1 intermediate signed by the root certificate, a second intermediate signed by the first one and a server certificate signed bt the second intermediate certificate. I'll call it server.
I also have a second server certificate also signed by the second intermediate certificate. I'll call it server2.

You only describe having server certs, but the error message says a client cert is needed.  You don't describe having any client certs.  Maybe you are trying to use a server cert as if it were a client cert, but that is unlikely to work.  The server cert needs the hostname of the server as a CN (or SAN), while a client cert needs the username of client (either ccid or server2, not sure which) as the CN.


hostssl all   ccid   all  cert map=rafe

This demands a client cert.  Server certs are common.  Client certs are somewhat rare, are you sure you actually want those?  If so, you will need to set yourself up with one.

 Cheers,

Jeff
[Index of Archives]     [Postgresql Home]     [Postgresql General]     [Postgresql Performance]     [Postgresql PHP]     [Postgresql Jobs]     [PHP Users]     [PHP Databases]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Forum]

  Powered by Linux