We followed the recipe in the documentation and noticed, that for SSL certificates on monitor and two Postgres nodes, an additional user name map entry (not mentioned in the documentation) is necessary.
With only the entries mentioned in the docs we get the following messages in the logs of the Postgres nodes:
LOG: no match in usermap "pgautofailover" for user "pgautofailover_monitor" authenticated as "postgres"
FATAL: certificate authentication failed for user "pgautofailover_monitor"
DETAIL: Connection matched pg_hba.conf line 110: "hostssl all "pgautofailover_monitor" <monitor>/32 cert map=pgautofailover"
We were able to get rid of these messages by adding the line
pgautofailover postgres pgautofailover_monitor
to the user name map file pg_ident.conf.
This confusion could be avoided for future users of pg_auto_failover by adding the line to the documentation.
Or do we have misunderstood our situation and made things worse?
pg_auto_failover 1.6.3:
We followed the recipe in the documentation and noticed, that for SSL certificates on monitor and two Postgres nodes, an additional user name map entry (not mentioned in the documentation) is necessary.
With only the entries mentioned in the docs we get the following messages in the logs of the Postgres nodes:
We were able to get rid of these messages by adding the line
to the user name map file
pg_ident.conf. This confusion could be avoided for future users of pg_auto_failover by adding the line to the documentation. Or do we have misunderstood our situation and made things worse?