need help understanding the error-message: Error Connecting to database FATAL : no pg_hba.conf entry

dba.stackexchange https://dba.stackexchange.com/questions/264560

Question

We're trying to connect to a postgres/postgis installation on a remote server, using QGIS-Application. When accessing from another pc or from the same pc via pgadmin4v4 with the same credential/authentification settings, it works just fine. Therefore I conclude the pg_hba.conf is ok and it's in fact a problem of QGIS.

In order to better understand the problem and maybe file a bug for QGIS I need help analysing the error message. It sais:

Area: dbname = <databasename>, host <server-ip>, port 5432, user <username>, password <password>, authcfg = <id_of_auth_record>

SSL error: certificate verify failed
FATAL: no pg_hba.conf entry for host <some_other-ip>, user <username>, database <databasename>, SSL off

My main questions:

  1. shouldn't the host-ip addresses be identical? Could it be part of the problem, that the second ip mentioned is not the correct server-ip? As far as I can see, there should be only one host (remote server) and one client involved (pc trying to get access).

  2. why doesn't it say "no pg_hba.conf entry for client ..."

  3. does QGIS think is it is a certificate problem, or a pg_hba.conf problem, or is that both the same

Update: further Details about the installation

  • Client-PC1: Win10, QGIS 3.4 [error] pgAdmin 4v4 [access ok]
  • Client-PC2: Win10, QGIS 3.10 [access ok] pgAdmin 4v4 [access ok]
  • Server: postgres 12
  • pg_hba.conf:
# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             0.0.0.0/0               scram-sha-256
# IPv6 local connections:
hostssl all             all             ::0/0                   scram-sha-256
Was it helpful?

Solution

shouldn't the host-ip addresses be identical? Could it be part of the problem, that the second ip mentioned is not the correct server-ip? As far as I can see, there should be only one host (remote server) and one client involved (pc trying to get access).

They will often not be identical if you have some kind of firewall or NAT between them. But this should not lead to failure to verify, unless you are using client certs as well as server certs (which you don't appear to be). The client will compare the hostname/IP address inside the cert to the hostname/IP it asked for, and see if those match.

I realized you are probably asking a different question. "client" and "server" are complements to each other. "client" and "host" are not complement words. Both the server and client have host names and host IP addresses. They will generally not be the same as each other.

why doesn't it say "no pg_hba.conf entry for client ..."

It is reporting the host from which (it thinks) the client is connecting. If it just said "client", what would that mean? It could mean that it doesn't like the client being python rather than psql. The issue with with the host of the client, not other aspects of the client.

does QGIS think is it is a certificate problem, or a pg_hba.conf problem, or is that both the same

Both, but separately. It first tries to use SSL and thinks there is a certificate problem. It then tries no SSL and finds that pg_hba won't let it do that. If you configure the client to "require" or above (rather than "prefer") for sslmode, then the client will stop making that 2nd attempt.

It seems like your client is finding a .postgresql/root.crt or equivalent, but can't use that file to validate the server. You can just hide this file from your client, then it will stop trying to validate the server. It will then only use ssl for encryption, not for verification.

OTHER TIPS

The no pg_hba.conf entry message is a generic message that means that something did not work out with the connection attempt. PostgreSQL uses a generic message, so that an attacker cannot draw conclusions from the kind of message she gets.

The true problem is probably:

SSL error: certificate verify failed

That would mean that client and server attempt to start an encrypted connection, but the client does not recognize the server certificate (because the certificate that was used to sign the server certificate is not a certification authority that the client recognizes).

Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top