Thread: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
"Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes: > However, one client also configured some client certificates + "sslmode=prefer" which resulted in "could not accept sslconnection tlsv1 alert unknown ca". I'm no expert, but I think this typically means a missing or untrusted intermediate certificate, that is no chain of trust to one of the certs that your OpenSSL considers trusted. > I always thought that Postgres does only validate certificates with "sslmode=verify-ca" and "sslmode=verify-full" => https://www.postgresql.org/docs/current/libpq-ssl.html Those cause some additional checks to be made, but it's not like you can expect a completely broken certificate to work without them. regards, tom lane
Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
From
"Zwettler Markus (OIZ)"
Date:
> Von: Tom Lane <tgl@sss.pgh.pa.us> > Gesendet: Donnerstag, 30. Januar 2025 18:51 > An: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch> > Cc: pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch> writes: > > However, one client also configured some client certificates + "sslmode=prefer" > which resulted in "could not accept ssl connection tlsv1 alert unknown ca". > > I'm no expert, but I think this typically means a missing or untrusted intermediate > certificate, that is no chain of trust to one of the certs that your OpenSSL > considers trusted. > > > I always thought that Postgres does only validate certificates with > > "sslmode=verify-ca" and "sslmode=verify-full" => > > https://www.postgresql.org/docs/current/libpq-ssl.html > > Those cause some additional checks to be made, but it's not like you can expect a > completely broken certificate to work without them. > > regards, tom lane I don't understand why Postgres does a certificate validation with “sslmode=prefer”. Postgres should simply ignore everypresented client certificate here. Regardless of whether it is trusted or not. A certificate validation should only take place in the modes “sslmode=verify-ca” and “ssmode=verify-full”. Only here shouldPostgres refuse a connection with non-trusted certificates. At least that's what I read in the documentation. No? Regards, Markus
Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
From
"Zwettler Markus (OIZ)"
Date:
> -----Ursprüngliche Nachricht----- > Von: Adrian Klaver <adrian.klaver@aklaver.com> > Gesendet: Freitag, 31. Januar 2025 17:37 > An: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch>; Tom Lane > <tgl@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/25 00:57, Zwettler Markus (OIZ) wrote: > >> Von: Tom Lane <tgl@sss.pgh.pa.us> > > >> Those cause some additional checks to be made, but it's not like you > >> can expect a completely broken certificate to work without them. > >> > >> regards, tom lane > > > > > > > > I don't understand why Postgres does a certificate validation with > “sslmode=prefer”. Postgres should simply ignore every presented client certificate > here. Regardless of whether it is trusted or not. > > What are the relevant lines in pg_hba.conf? > > > > > A certificate validation should only take place in the modes “sslmode=verify-ca” > and “ssmode=verify-full”. Only here should Postgres refuse a connection with non- > trusted certificates. > > > > At least that's what I read in the documentation. No? > > > > Regards, Markus > > > > -- > Adrian Klaver > adrian.klaver@aklaver.com > bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl all all all md5
Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
From
"Zwettler Markus (OIZ)"
Date:
> -----Ursprüngliche Nachricht----- > Von: Adrian Klaver <adrian.klaver@aklaver.com> > Gesendet: Freitag, 31. Januar 2025 18:07 > An: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch>; Tom Lane > <tgl@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert unknown ca > > On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: > > > bash-4.4$ cat pg_hba.conf > > # Do not edit this file manually! > > # It will be overwritten by Patroni! > > local all "postgres" peer > > hostssl replication "_crunchyrepl" all cert hostssl "postgres" > > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all > > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" > > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl > > all all all md5 > > From here: > > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES > > "There are two approaches to enforce that users provide a certificate during login. > > The first approach makes use of the cert authentication method for hostssl entries > in pg_hba.conf, such that the certificate itself is used for authentication while also > providing ssl connection security. > > > [...] > > The second approach combines any authentication method for hostssl entries with > the verification of client certificates by setting the clientcert authentication option > to verify-ca or verify-full. ... > " > > Is the client having issues trying a connection that matches either of the lines > below?: > > replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all > cert > > > > > > > > > -- > Adrian Klaver > adrian.klaver@aklaver.com > No, there are no errors with the lines mentioned. The error appears with a connection that matches the last line. bash-4.4$ cat pg_hba.conf # Do not edit this file manually! # It will be overwritten by Patroni! local all "postgres" peer hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl all all all md5 <<== user connection matching this line gives the error
Re: Re: could not accept ssl connection tlsv1 alert iso-8859-1 ca
From
"Zwettler Markus (OIZ)"
Date:
> -----Ursprüngliche Nachricht----- > Von: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch> > Gesendet: Montag, 3. Februar 2025 09:37 > An: Adrian Klaver <adrian.klaver@aklaver.com>; Tom Lane > <tgl@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org > Betreff: Re: Re: could not accept ssl connection tlsv1 alert unknown ca > > > -----Ursprüngliche Nachricht----- > > Von: Adrian Klaver <adrian.klaver@aklaver.com> > > Gesendet: Freitag, 31. Januar 2025 18:07 > > An: Zwettler Markus (OIZ) <Markus.Zwettler@zuerich.ch>; Tom Lane > > <tgl@sss.pgh.pa.us>; pgsql-general@lists.postgresql.org > > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert > > unknown ca > > > > On 1/31/25 08:57, Zwettler Markus (OIZ) wrote: > > > > > bash-4.4$ cat pg_hba.conf > > > # Do not edit this file manually! > > > # It will be overwritten by Patroni! > > > local all "postgres" peer > > > hostssl replication "_crunchyrepl" all cert hostssl "postgres" > > > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all > > > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring" > > > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl > > > all all all md5 > > > > From here: > > > > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATE > > S > > > > "There are two approaches to enforce that users provide a certificate during > login. > > > > The first approach makes use of the cert authentication method for > > hostssl entries in pg_hba.conf, such that the certificate itself is > > used for authentication while also providing ssl connection security. > > > > > > [...] > > > > The second approach combines any authentication method for hostssl > > entries with the verification of client certificates by setting the > > clientcert authentication option to verify-ca or verify-full. ... > > " > > > > Is the client having issues trying a connection that matches either of > > the lines > > below?: > > > > replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" > > all cert > > > > > > > > > > > > > > > -- > > Adrian Klaver > > adrian.klaver@aklaver.com > > > > > > No, there are no errors with the lines mentioned. > > The error appears with a connection that matches the last line. > > > > bash-4.4$ cat pg_hba.conf > # Do not edit this file manually! > # It will be overwritten by Patroni! > local all "postgres" peer > hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all > cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" > scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all > "ccp_monitoring" all reject > hostssl all all all md5 <<== user connection matching this > line gives the error > > Seems that I found the root cause in the docs: "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificateis presented and the CA is configured." https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES a CA is configured on the server and the client presents a client certificate. Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise? The docs only mention "verify-ca" and "verify-full". "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert,which can be specified in any hostssl record. This option can be set to verify-ca or verify-full." https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
On 2/3/25 02:14, Zwettler Markus (OIZ) wrote: >> bash-4.4$ cat pg_hba.conf >> # Do not edit this file manually! >> # It will be overwritten by Patroni! >> local all "postgres" peer >> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all >> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8" >> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all >> "ccp_monitoring" all reject >> hostssl all all all md5 <<== user connection matching this >> line gives the error >> >> > > > Seems that I found the root cause in the docs: > "When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificateis presented and the CA is configured." > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES > a CA is configured on the server and the client presents a client certificate. > > > Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise? > The docs only mention "verify-ca" and "verify-full". > "In addition to the method-specific options listed below, there is a method-independent authentication option clientcert,which can be specified in any hostssl record. This option can be set to verify-ca or verify-full." > https://www.postgresql.org/docs/current/auth-pg-hba-conf.html > From what I understand your client has to either not have the client certificates or create them correctly. -- Adrian Klaver adrian.klaver@aklaver.com