{ "id": "database/postgresql-ssl-certificate-expired", "signature": "psycopg2.OperationalError: FATAL: connection requires a valid client certificate", "signature_zh": "psycopg2.OperationalError: 致命错误:连接需要有效的客户端证书", "regex": "connection requires a valid client certificate", "domain": "database", "category": "auth_error", "subcategory": null, "root_cause": "PostgreSQL's SSL configuration requires a client certificate, but the provided certificate is missing, expired, or not trusted by the server.", "root_cause_type": "generic", "root_cause_zh": "PostgreSQL 的 SSL 配置要求客户端证书,但提供的证书缺失、过期或不被服务器信任。", "versions": [ { "version": "PostgreSQL 15", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "PostgreSQL 16", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "PostgreSQL 17", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Disable SSL entirely in the client connection string (sslmode=disable)", "why_fails": "The server enforces SSL with client certificate requirement; disabling SSL will be rejected by the server.", "fail_rate": 1.0, "condition": "", "sources": [] }, { "action": "Regenerate the client certificate without updating the server's root certificate trust store", "why_fails": "If the new certificate is not signed by a CA trusted by the server, or if the server's root.crt is outdated, the connection still fails.", "fail_rate": 0.7, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine.", "success_rate": 0.9, "how": "Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine.", "condition": "", "sources": [] }, { "action": "Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload.", "success_rate": 0.85, "how": "Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine.", "Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://www.postgresql.org/docs/16/ssl-tcp.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.82, "resolvable": "true", "first_seen": "2024-06-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }