Re: Re: could not accept ssl connection tlsv1 alert unknown ca

> -----Ursprüngliche Nachricht-----
> Von: Zwettler Markus (OIZ) <Markus(dot)Zwettler(at)zuerich(dot)ch>
> Gesendet: Montag, 3. Februar 2025 09:37
> An: Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>; Tom Lane
> <tgl(at)sss(dot)pgh(dot)pa(dot)us>; pgsql-general(at)lists(dot)postgresql(dot)org
> Betreff: Re: Re: could not accept ssl connection tlsv1 alert unknown ca
>
> > -----Ursprüngliche Nachricht-----
> > Von: Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
> > Gesendet: Freitag, 31. Januar 2025 18:07
> > An: Zwettler Markus (OIZ) <Markus(dot)Zwettler(at)zuerich(dot)ch>; Tom Lane
> > <tgl(at)sss(dot)pgh(dot)pa(dot)us>; pgsql-general(at)lists(dot)postgresql(dot)org
> > Betreff: [Extern] Re: could not accept ssl connection tlsv1 alert
> > unknown ca
> >
> > On 1/31/25 08:57, Zwettler Markus (OIZ) wrote:
> >
> > > bash-4.4$ cat pg_hba.conf
> > > # Do not edit this file manually!
> > > # It will be overwritten by Patroni!
> > > local all "postgres" peer
> > > hostssl replication "_crunchyrepl" all cert hostssl "postgres"
> > > "_crunchyrepl" all cert host all "_crunchyrepl" all reject host all
> > > "ccp_monitoring" "127.0.0.0/8" scram-sha-256 host all "ccp_monitoring"
> > > "::1/128" scram-sha-256 host all "ccp_monitoring" all reject hostssl
> > > all all all md5
> >
> > From here:
> >
> > https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATE
> > S
> >
> > "There are two approaches to enforce that users provide a certificate during
> login.
> >
> > The first approach makes use of the cert authentication method for
> > hostssl entries in pg_hba.conf, such that the certificate itself is
> > used for authentication while also providing ssl connection security.
> >
> >
> > [...]
> >
> > The second approach combines any authentication method for hostssl
> > entries with the verification of client certificates by setting the
> > clientcert authentication option to verify-ca or verify-full. ...
> > "
> >
> > Is the client having issues trying a connection that matches either of
> > the lines
> > below?:
> >
> > replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl"
> > all cert
> >
> > >
> > >
> > >
> >
> > --
> > Adrian Klaver
> > adrian(dot)klaver(at)aklaver(dot)com
> >
>
>
>
> No, there are no errors with the lines mentioned.
>
> The error appears with a connection that matches the last line.
>
>
>
> bash-4.4$ cat pg_hba.conf
> # Do not edit this file manually!
> # It will be overwritten by Patroni!
> local all "postgres" peer
> hostssl replication "_crunchyrepl" all cert hostssl "postgres" "_crunchyrepl" all
> cert host all "_crunchyrepl" all reject host all "ccp_monitoring" "127.0.0.0/8"
> scram-sha-256 host all "ccp_monitoring" "::1/128" scram-sha-256 host all
> "ccp_monitoring" all reject
> hostssl all all all md5 <<== user connection matching this
> line gives the error
>
>

Seems that I found the root cause in the docs:
"When clientcert is not specified, the server verifies the client certificate against its CA file only if a client certificate is presented and the CA is configured."
https://www.postgresql.org/docs/17/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
a CA is configured on the server and the client presents a client certificate.

Is it possible to configure "clientcert=disable" in pg_hba.conf or disable the client verification otherwise?
The docs only mention "verify-ca" and "verify-full".
"In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full."
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html