Re: tlsv1 alert unknown ca error on cert authentication

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrus <kobruleht2(at)hot(dot)ee>
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: tlsv1 alert unknown ca error on cert authentication
Date: 2025-06-08 16:14:07
Message-ID: 197871.1749399247@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Andrus <kobruleht2(at)hot(dot)ee> writes:
> Observed:

>>> pg_dump: error: connection to server at "localhost" (::1), port 5432
>>> failed: SSL error: tlsv1 alert unknown ca

> Postgres log contains:

>>> [unknown] ::1 [unknown] LOG:  could not accept SSL connection:
>>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
>>> certificate verification failed at depth 0: self-signed certificate.

Hm. This example works fine for me on RHEL8. Evidently your
openssl installation is set up to reject self-signed certificates
by default. I note that in my installation, /etc/pki/tls/openssl.cnf
contains

[ req ]
...
x509_extensions = v3_ca # The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

Perhaps in your configuration file, that option is active?

regards, tom lane

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Jim Jones 2025-06-08 17:00:25 Re: BUG #18943: Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177 without checking for NUL
Previous Message Tom Lane 2025-06-08 15:50:21 Re: BUG #18951: Precision loss in inner join while using SUM aggregate function