[MacPorts] #72080: sslrootcert=system fails (postgresql17 and postgresql16)
MacPorts
noreply at macports.org
Wed Feb 19 17:43:00 UTC 2025
#72080: sslrootcert=system fails (postgresql17 and postgresql16)
-------------------------------------------------+-------------------------
Reporter: jawj | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.10.5
Keywords: ssl, certificate, sslrootcert, | Port:
security | postgresql17
-------------------------------------------------+-------------------------
The {{{sslrootcert=system}}} option on connection strings passed to psql
is broken. For example:
{{{
/opt/local/bin/psql17 'postgresql://user:pass@ep-broad-dew-a5k9hi1k.us-
east-2.aws.neon.tech/neondb?sslrootcert=system'
psql17: error: connection to server at "ep-broad-dew-a5k9hi1k.us-
east-2.aws.neon.tech" (3.131.64.200), port 5432 failed: SSL error:
certificate verify failed
}}}
This is a great shame, since it blocks wider adoption of this helpful
security feature.
To reproduce the issue, simply install postgresql16 or postgresql17 on the
latest macOS using the latest MacPorts, then point psql at any free
neon.tech database, having swapped {{{sslmode=require}}} for
{{{sslrootcert=system}}} on the end of the connection string.
You can verify that it should work using an installation of Postgres 16 or
17 via homebrew.
I haven't figured out exactly why it's broken, but I do have a list of
some installations that are and that aren't:
https://gist.github.com/jawj/57bc9d1f350ffd5250942cf24957b3a7
And this response from the Postgres.app maintainers may be helpful:
https://github.com/PostgresApp/PostgresApp/issues/801
--
Ticket URL: <https://trac.macports.org/ticket/72080>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list