# psycopg2.OperationalError: 致命错误：连接需要有效的客户端证书

- **ID:** `database/postgresql-ssl-certificate-expired`
- **领域:** database
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

PostgreSQL 的 SSL 配置要求客户端证书，但提供的证书缺失、过期或不被服务器信任。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| PostgreSQL 15 | active | — | — |
| PostgreSQL 16 | active | — | — |
| PostgreSQL 17 | active | — | — |

## 解决方案

1. ```
   Verify client certificate expiry: openssl x509 -in client.crt -noout -dates; if expired, regenerate with: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr; then have the CA sign it and copy the new client.crt and client.key to the client machine.
   ```
2. ```
   Ensure the server's root.crt contains the CA certificate that signed the client certificate: cat ca.crt >> $(pg_config --sysconfdir)/root.crt; then reload pg_hba.conf with pg_ctl reload.
   ```

## 无效尝试

- **Disable SSL entirely in the client connection string (sslmode=disable)** — The server enforces SSL with client certificate requirement; disabling SSL will be rejected by the server. (100% 失败率)
- **Regenerate the client certificate without updating the server's root certificate trust store** — If the new certificate is not signed by a CA trusted by the server, or if the server's root.crt is outdated, the connection still fails. (70% 失败率)