database
auth_error
ai_generated
true
psycopg2.OperationalError: 致命错误:连接需要有效的客户端证书
psycopg2.OperationalError: FATAL: connection requires a valid client certificate
ID: database/postgresql-ssl-certificate-expired
82%修复率
88%置信度
1证据数
2024-06-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| PostgreSQL 15 | active | — | — | — |
| PostgreSQL 16 | active | — | — | — |
| PostgreSQL 17 | active | — | — | — |
根因分析
PostgreSQL 的 SSL 配置要求客户端证书,但提供的证书缺失、过期或不被服务器信任。
English
PostgreSQL's SSL configuration requires a client certificate, but the provided certificate is missing, expired, or not trusted by the server.
官方文档
https://www.postgresql.org/docs/16/ssl-tcp.html解决方案
-
Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine.
-
Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload.
无效尝试
常见但无效的做法:
-
Disable SSL entirely in the client connection string (sslmode=disable)
100% 失败
The server enforces SSL with client certificate requirement; disabling SSL will be rejected by the server.
-
Regenerate the client certificate without updating the server's root certificate trust store
70% 失败
If the new certificate is not signed by a CA trusted by the server, or if the server's root.crt is outdated, the connection still fails.