From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Andrus <kobruleht2(at)hot(dot)ee> |
Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: tlsv1 alert unknown ca error on cert authentication |
Date: | 2025-06-08 16:14:07 |
Message-ID: | 197871.1749399247@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Andrus <kobruleht2(at)hot(dot)ee> writes:
> Observed:
>>> pg_dump: error: connection to server at "localhost" (::1), port 5432
>>> failed: SSL error: tlsv1 alert unknown ca
> Postgres log contains:
>>> [unknown] ::1 [unknown] LOG: could not accept SSL connection:
>>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
>>> certificate verification failed at depth 0: self-signed certificate.
Hm. This example works fine for me on RHEL8. Evidently your
openssl installation is set up to reject self-signed certificates
by default. I note that in my installation, /etc/pki/tls/openssl.cnf
contains
[ req ]
...
x509_extensions = v3_ca # The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
Perhaps in your configuration file, that option is active?
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Jim Jones | 2025-06-08 17:00:25 | Re: BUG #18943: Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177 without checking for NUL |
Previous Message | Tom Lane | 2025-06-08 15:50:21 | Re: BUG #18951: Precision loss in inner join while using SUM aggregate function |