Re: Is Client connections via ca.crt only possible?

On 2022-08-01 04:12, Rejo Oommen wrote:
> Requirement is to use only ca.crt and connect to postgres
>
> Server.crt, Server.key and ca.crt are configured at the postgres 
> server for tls connection.
>
> Connection successful while using
> psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca 
> sslcert=/tmp/server.crt sslkey=/tmp/server.key sslrootcert=/tmp/ca.crt 
> port=5432’
>
> For clients to connect, can they use only ca.crt and connect to the 
> DB. Tried and got the below error
>
> psql ‘host=172.29.21.222 dbname=test user=postgres sslmode=verify-ca 
> sslrootcert=/tmp/ca.crt port=5432’
> psql: error: connection to server at “172.29.21.222”, port 50001 
> failed: FATAL:  connection requires a valid client certificate
>

Hi Rejo,

I don't think you understand fully how mutual TLS auth works. For the 
client to authenticate using a certificate, it needs a valid certificate 
and key too, where the certificate is signed by a CA your server trusts 
(usually the same CA that signed your server cert) and with a proper 
subject (that bears the certificate owner's user name, the user you will 
use to grant privileges in the database). You shouldn't even need to 
pass a username, it will be in the certificate.

I'm talking purely from a generic view, I'm not familiar with any of the 
specifics of PostgreSQL configuration but TLS authentication requires a 
secret and a CA certificate isn't secret. Your server certificate 
authenticates the server, but nothing authenticates the client.

Regards,

--
Thomas