I decided to try to build a troubleshooting matrix for Postgres SSL client and server problems because the solutions to each problem were far from intuitive.
|Server error||Client error||Solution|
|FATAL: no pg_hba.confg entry for host "x", user"x", database "x", SSL off||same as server||Set the PGSSLMODE on the client|
|LOG: could not accept SSL connection: tlsv alert unknown ca||psql: SSL error: certificate verify failed||ensure that the keys and certificates on the client and server are signed correctly and in the right places with the correct root.crt available|
|FATAL: certificate authentication failed for user "x"||psql: FATAL: certificate authentication failed for user "x"||ensure that the CN on the Client postgres.crt matches an entry in pg_ident.conf and that you are trying to connect using the matching user|
|LOG: could not receive data from client: Connection reset by peer||Psql: server common name "x" does not match host name "x"||ensure the '-h [hostname]' on the psql command line matches the CN of the server.crt|