{
  "id": "database/ssl-certificate-verify-failed",
  "signature": "psycopg2.OperationalError: could not connect to server: SSL error: certificate verify failed",
  "signature_zh": "psycopg2.OperationalError: 无法连接到服务器：SSL错误：证书验证失败",
  "regex": "SSL error: certificate verify failed",
  "domain": "database",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "PostgreSQL client cannot verify the server's SSL certificate because the CA certificate is missing, expired, or the server hostname does not match the certificate's CN/SAN.",
  "root_cause_type": "generic",
  "root_cause_zh": "PostgreSQL客户端无法验证服务器的SSL证书，因为CA证书缺失、过期或服务器主机名与证书的CN/SAN不匹配。",
  "versions": [
    {
      "version": "PostgreSQL 14",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "PostgreSQL 15",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "PostgreSQL 16",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "psycopg2 2.9.9",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "libpq 15.4",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Disable SSL verification by setting sslmode=disable in the connection string.",
      "why_fails": "This bypasses security entirely and may violate compliance requirements (e.g., PCI-DSS). It also fails if the server requires SSL.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "Reinstall PostgreSQL server without changing certificate configuration.",
      "why_fails": "Reinstalling the server does not fix the certificate trust chain; the root cause is the client's CA store or certificate mismatch.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Set the sslrootcert parameter to the correct CA certificate file. Example: sslrootcert=/etc/ssl/certs/ca-certificates.crt in the connection string or ~/.pgpass.",
      "success_rate": 0.8,
      "how": "Set the sslrootcert parameter to the correct CA certificate file. Example: sslrootcert=/etc/ssl/certs/ca-certificates.crt in the connection string or ~/.pgpass.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the server uses a self-signed certificate, add the server's certificate to the client's trust store. Command: echo 'my_server_cert_pem' >> ~/.postgresql/root.crt && chmod 600 ~/.postgresql/root.crt",
      "success_rate": 0.85,
      "how": "If the server uses a self-signed certificate, add the server's certificate to the client's trust store. Command: echo 'my_server_cert_pem' >> ~/.postgresql/root.crt && chmod 600 ~/.postgresql/root.crt",
      "condition": "",
      "sources": []
    },
    {
      "action": "Verify the server hostname matches the certificate's Common Name (CN) or Subject Alternative Name (SAN). Use openssl s_client -connect host:5432 to check the certificate.",
      "success_rate": 0.9,
      "how": "Verify the server hostname matches the certificate's Common Name (CN) or Subject Alternative Name (SAN). Use openssl s_client -connect host:5432 to check the certificate.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Set the sslrootcert parameter to the correct CA certificate file. Example: sslrootcert=/etc/ssl/certs/ca-certificates.crt in the connection string or ~/.pgpass.",
    "If the server uses a self-signed certificate, add the server's certificate to the client's trust store. Command: echo 'my_server_cert_pem' >> ~/.postgresql/root.crt && chmod 600 ~/.postgresql/root.crt",
    "Verify the server hostname matches the certificate's Common Name (CN) or Subject Alternative Name (SAN). Use openssl s_client -connect host:5432 to check the certificate."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://www.postgresql.org/docs/current/libpq-ssl.html",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2024-03-12",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}