Postgres 17 server certificate is issued by RapidSsl for server.mydomain.com This is validated by DigiCert Global Root G2 certificate.
PostgreSQL 17 client certificate is created using this tutorial.
pg_hba.conf first lines contain:
hostssl all varukoopia ::/0 cert
hostssl all varukoopia 0.0.0.0/0 cert
Trying to use it on Windows Server:
set PGSSLCERT=client.crt
set PGSSLKEY=client.key
set PGSSLROOTCERT=system
"c:\Program Files\PostgreSQL\17\bin\pg_dump" --verbose -b -f "test.backup" -F c -h server.mydomain.com -p 5432 -U varukoopia mydatabase
Throws this error:
pg_dump: error: connection to server at "server.mydomain.com" (x.x.x.x), port 5432 failed: SSL error: unregistered scheme
postgres log file contains message
[unknown] [unknown]@[unknown] LOG: could not accept SSL connection: tlsv1 alert unknown ca
How to use the client certificate with pg_dump?
According to https://github.com/EnterpriseDB/edb-installers/issues/264
It looks like Windows system certificate store is not supported.
Created ca-bundle.crt file from https://curl.se/ca/cacert.pem , added server.crt and client.crt to top of it. Tried settings:
ssl on
ssl_ca_file ca-bundle.crt
ssl_cert_file server.crt
ssl_ciphers HIGH:MEDIUM:+3DES:!aNULL ssl_key_file server.key
ssl_min_protocol_version TLSv1.2
ssl_prefer_server_ciphers on
Error message remains same.
How to specify root certificates or disable issuer certificate verification?
Client certificate is created using
openssl req -new -nodes -out client.csr -keyout client.key -days 99999 -config postgresikliendisert.cnf
openssl x509 -req -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt -days 99999
Related question is in Why postgres 17 cert authentication fails in windows
