Postgres Pro
Downloads
Home   >   mailing lists

Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca - Mailing list pgsql-general

From Zwettler Markus (OIZ)
Subject Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
Date
Msg-id GV0P278MB00998D54B2F868061D05BC178BF52@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM
Whole thread Raw
In response to Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
List pgsql-general
Tree view 
> -----Ursprüngliche Nachricht-----
> Von: Adrian Klaver <adrian.klaver@aklaver.com>
> Gesendet: Freitag, 31. Januar 2025 18:07
> An: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch>; Tom Lane
> <tgl@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org
> Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca
> 
> On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:
> 
> > bash-4.4$ cat pg_hba.conf
> > # Do not edit this file manually!
> > # It will be overwritten by Patroni!
> > local all "postgres" peer
> > hostssl replication "_crunchyrepl" all cert hostssl "postgres"
> > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all
> > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring"
> > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl
> > all all all md5
> 
>  From here:
> 
> https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
> 
> "There are two approaches to enforce that users provide a certificate during login.
> 
> The first approach makes use of the cert authentication method for hostssl entries
> in pg_hba.conf, such that the certificate itself is used for authentication while also
> providing ssl connection security.
> 
> 
> [...]
> 
> The second approach combines any authentication method for hostssl entries with
> the verification of client certificates by setting the clientcert authentication option
> to verify-ca or verify-full.  ...
> "
> 
> Is the client having issues trying a connection that matches either of the lines
> below?:
> 
> replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
> cert
> 
> >
> >
> >
> 
> --
> Adrian Klaver
> adrian.klaver@aklaver.com
> 



No, there are no errors with the lines mentioned. 

The error appears with a connection that matches the last line.



bash-4.4$ cat pg_hba.conf
# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert 
hostssl "postgres" "_crunchyrepl" all cert 
host all "_crunchyrepl" all reject 
host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 
host all "ccp_monitoring" "::1/128" scram-sha-256 
host all "ccp_monitoring" all reject 
hostssl all all all md5                                     <<== user connection matching this line gives the error

pgsql-general by date:

Previous
From: Marcelo Fernandes
Date:
Subject: Re: What is the story behind _SPI_PLAN_MAGIC?
Next
From: "Zwettler Markus (OIZ)"
Date:
Subject: Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca