Re: Connection fails on one system in a address range allowed to connect

Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> writes:
> On Tue, 2023-11-21 at 23:27 +0000, Johnson, Bruce E - (bjohnson) wrote:
>> DBI connect('dbname=webdata;host=dhbpostgres.pharmacy.arizona.edu;port=5432','trav',...) failed: FATAL: password authentication failed for user "trav"
>> FATAL: no pg_hba.conf entry for host "150.135.124.50", user "trav", database "webdata", no encryption at ./pg_test.pl line 8.
>>
>> The pg_hba.conf on the server includes this which should encompass all systems in this VLAN
>> # external 'OldMTM' site range
>> hostssl all all 150.135.124.0/25 password

> "no encryption" does not match a "hostssl" entry.

Yeah. What is probably happening here is that (with the default sslmode)
libpq is trying an SSL connection, that's failing for some reason, and
then it tries a non-SSL connection which definitely fails for lack of
a matching pg_hba.conf entry; and then for some other reason you are
only shown the message concerning the last attempt.

Theory B is that your libpq wasn't compiled with SSL support so it
skips right to the non-SSL attempt.

Laurenz's suggestion of adding sslmode=require is a good debugging
step either way, since it will either tell you for sure that you
are missing SSL support or show you the failure from the single
SSL-enabled attempt. Alternatively, turn on log_connections and
see what the server log captures. (You might need to do that
anyway if the client-side message isn't sufficiently informative.)

regards, tom lane