Re: tlsv1 alert unknown ca error on cert authentication
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andrus <kobruleht2@hot.ee>
Cc: pgsql-bugs@lists.postgresql.org
Date: 2025-06-08T16:14:07Z
Lists: pgsql-bugs
Andrus <kobruleht2@hot.ee> writes: > Observed: >>> pg_dump: error: connection to server at "localhost" (::1), port 5432 >>> failed: SSL error: tlsv1 alert unknown ca > Postgres log contains: >>> [unknown] ::1 [unknown] LOG: could not accept SSL connection: >>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client >>> certificate verification failed at depth 0: self-signed certificate. Hm. This example works fine for me on RHEL8. Evidently your openssl installation is set up to reject self-signed certificates by default. I note that in my installation, /etc/pki/tls/openssl.cnf contains [ req ] ... x509_extensions = v3_ca # The extensions to add to the self signed cert ... [ v3_ca ] # Extensions for a typical CA ... # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign Perhaps in your configuration file, that option is active? regards, tom lane