On Sat, Aug 28, 2021, at 10:04 PM, Yongqian Li wrote:
I encountered this problem while I was trying to enable SSL on my postgresql server. Since I was satisfied with the default values for the "ssl_key_file" and "ssl_cert_file" settings I chose to not configure them -- I simply turned on "ssl" and copied over the files to the default locations. However, I kept getting certificate errors on the client. Examining the certificate sent by the server using `openssl s_client -starttls postgres -connect "$HOSTNAME:5432"` revealed that the server was sending some auto-generated cert instead of the one in "server.crt". Setting the "ssl_key_file" and "ssl_cert_file" settings explicitly to their default value fixed the problem. From the documentation I would expect that missing values for config keys would fallback to their default value; instead it seems that postgresql has some undocumented fallback behavior in this case.
You didn't provide enough information about this issue. Start with the
following query:
SELECT name,
setting,
SOURCE,
bootval,
resetval,
sourcefile,
sourceline,
pending_restart
FROM pg_settings
WHERE name ~ '^ssl';
What's your Postgres version? What's your OS? Are you using a package? Which
one?
Do the server certificate and private key exist in the server's data directory?
ls -la $PGDATA/server.*