PostgreSQL client root.crt should be CA cert (!154635) · Merge requests · GitLab.org / GitLab

Joshua Herup requested to merge joshua.h.auria/gitlab:pgsql-root-crt-needs-ca-cert into master May 29, 2024

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

What does this MR do and why?

In the case of a non-self-signed certificate, the guidance to copy server.crt to the clipboard for use on the secondary as root.crt is misleading. The GitLab Geo secondary instance's PostgreSQL client uses root.crt to verify the SSL connection to the GitLab Geo primary. As it is treated as a CA certificate, sslmode=verify-ca and `sslmode=verify-full fail in such a case, because the certificate in question may not contain the root CA certificate.

documentation

Edited May 29, 2024 by 🤖 GitLab Bot 🤖

PostgreSQL client root.crt should be CA cert

What does this MR do and why?

Merge request reports