Re: tlsv1 alert unknown ca error on cert authentication

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andrus <kobruleht2@hot.ee>
Cc: pgsql-bugs@lists.postgresql.org
Date: 2025-06-08T16:14:07Z
Lists: pgsql-bugs
Andrus <kobruleht2@hot.ee> writes:
> Observed:

>>> pg_dump: error: connection to server at "localhost" (::1), port 5432
>>> failed: SSL error: tlsv1 alert unknown ca

> Postgres log contains:

>>> [unknown] ::1 [unknown] LOG:  could not accept SSL connection:
>>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
>>> certificate verification failed at depth 0: self-signed certificate.

Hm.  This example works fine for me on RHEL8.  Evidently your
openssl installation is set up to reject self-signed certificates
by default.  I note that in my installation, /etc/pki/tls/openssl.cnf
contains

[ req ]
...
x509_extensions	= v3_ca	# The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

Perhaps in your configuration file, that option is active?

			regards, tom lane