| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Drew Zoellner <drewtzoellner(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org, postgres(at)thewickedtribe(dot)net |
| Subject: | Re: Replication using mTLS issue |
| Date: | 2024-06-21 16:46:22 |
| Message-ID: | 603291.1718988382@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Drew Zoellner <drewtzoellner(at)gmail(dot)com> writes:
> Hi Postgres team, I’m receiving an issue matching pg_hba rules that I can’t
> seem to sort out. I am trying to use mtls certificate authentication for
> physical replication connections but keep receiving the following error…
> pg_receivewal: error: FATAL: no pg_hba.conf entry for replication
> connection from host "100.84.12.223", user "pgrepmgr_nonprod", SSL on
> My pg_hba.conf file contains
> hostssl replication pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map
Hm, the match failure must be on user name. What certificate are you
using on the client side, and what user name does pgrepmgr_nonprod_map
map it to? Does it succeed if you weaken the hba entry to
hostssl replication all 100.0.0.0/8 cert map=pgrepmgr_nonprod_map
> Is cert authentication supported for replication connections?
Should be. But you might find it easier to debug the auth failure
in a non-replication context, ie add
hostssl all pgrepmgr_nonprod 100.0.0.0/8 cert map=pgrepmgr_nonprod_map
and then see if you can connect with the same credentials from psql
or your favorite other client.
BTW, don't forget you have to signal the postmaster to reload
configuration after any change in these files.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Drew Zoellner | 2024-06-21 17:21:07 | Re: Replication using mTLS issue |
| Previous Message | Tom Lane | 2024-06-21 16:17:46 | Re: RowDescription for a function does not include table OID |