I decided to try to build a troubleshooting matrix for Postgres SSL client and server problems because the solutions to each problem were far from intuitive.
| Server error | Client error | Solution |
|---|---|---|
| FATAL: no pg_hba.confg entry for host "x", user"x", database "x", SSL off | same as server | Set the PGSSLMODE on the client |
| LOG: could not accept SSL connection: tlsv alert unknown ca | psql: SSL error: certificate verify failed | ensure that the keys and certificates on the client and server are signed correctly and in the right places with the correct root.crt available |
| FATAL: certificate authentication failed for user "x" | psql: FATAL: certificate authentication failed for user "x" | ensure that the CN on the Client postgres.crt matches an entry in pg_ident.conf and that you are trying to connect using the matching user |
| LOG: could not receive data from client: Connection reset by peer | Psql: server common name "x" does not match host name "x" | ensure the '-h [hostname]' on the psql command line matches the CN of the server.crt |
Recent Comments