On Wed, May 1, 2024 at 11:57 AM Thomas Spear <speeddymon@gmail.com> wrote:
> It does fail to validate for case 4 after all. I must have had a copy/paste error during past tests.
Okay, good. Glad it's behaving as expected!
> So then it sounds like putting the MS root in root.crt (as we have done to fix this) is the correct thing to do, and
there'sno issue. It doesn't seem libpq will use the trusted roots that are typically located in either /etc/ssl or
/etc/pkiso we have to provide the root in the path where libpq expects it to be to get verify-full to work properly.
Right. Versions 16 and later will let you use `sslrootcert=system` to
load those /etc locations more easily, but if the MS root isn't in the
system PKI stores and the server isn't sending the DigiCert chain then
that probably doesn't help you.
> Thanks for helping me to confirm this. I'll get a case open with MS regarding the wrong root download from the portal
inGovCloud.
Happy to help!
Have a good one,
--Jacob
