# psycopg2.OperationalError: FATAL: connection requires a valid client certificate - **ID:** `database/postgresql-ssl-certificate-expired` - **Domain:** database - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 82% ## Root Cause PostgreSQL's SSL configuration requires a client certificate, but the provided certificate is missing, expired, or not trusted by the server. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | PostgreSQL 15 | active | — | — | | PostgreSQL 16 | active | — | — | | PostgreSQL 17 | active | — | — | ## Workarounds 1. **Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine.** (90% success) ``` Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine. ``` 2. **Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload.** (85% success) ``` Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload. ``` ## Dead Ends - **Disable SSL entirely in the client connection string (sslmode=disable)** — The server enforces SSL with client certificate requirement; disabling SSL will be rejected by the server. (100% fail) - **Regenerate the client certificate without updating the server's root certificate trust store** — If the new certificate is not signed by a CA trusted by the server, or if the server's root.crt is outdated, the connection still fails. (70% fail)