Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> writes:
> I do *not* have the CA cert concatenated onto server.crt. I'll have to
> see if that works, because that's how it's usually done with OpenSSL.
Hmm. That case doesn't work for me; what does work is including the
intermediate cert in the server's root.crt.
regards, tom lane