Thread

  1. tlsv1 alert unknown ca error on cert authentication

    Andrus <kobruleht2@hot.ee> — 2025-06-08T12:21:40Z

    Steps to reproduce:
    
    1. Install Postgres 17.5 and OpenSsl on Windows 11
    
    2. Run the following commands. Enter `postgres` as common name on client 
    cert creation:
    
        ```sh
        openssl req -new -x509 -days 365 -nodes -out server.crt -keyout 
    server.key
        openssl req -new -nodes -out client.csr -keyout client.key
        openssl x509 -req -in client.csr -CA server.crt -CAkey server.key 
    -CAcreateserial -out client.crt -days 365
         ```
    
    3. Copy files to server data directory:
    
         ```sh
         copy server.key "C:\Program Files\PostgreSQL\17\data"
         copy server.crt "C:\Program Files\PostgreSQL\17\data\root.crt"
         copy server.crt "C:\Program Files\PostgreSQL\17\data"
    
    4. Add the following lines to top of `pg_hba.conf`:
    
            hostssl all postgres ::1/0 cert
            hostssl all postgres 0.0.0.0/0 cert
    
    5. Add the following lines to end of `postgresql.conf`:
    
            ssl = on
            ssl_ca_file = 'root.crt'
            ssl_cert_file = 'server.crt'
            ssl_key_file = 'server.key'
    
    6. Re-start postgres service
    
    7. Run commands
    
         ```sh
         set PGSSLCERT=client.crt
         set PGSSLKEY=client.key
         "C:\Program Files\PostgreSQL\17\bin\pg_dump" -f "test.backup" -F c 
    -h localhost -U postgres postgres
    
    
    Observed:
    
     > pg_dump: error: connection to server at "localhost" (::1), port 5432
     > failed: SSL error: tlsv1 alert unknown ca
    
    Postgres log contains:
    
     > [unknown] ::1 [unknown] LOG:  could not accept SSL connection:
     > certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
     > certificate verification failed at depth 0: self-signed certificate.
     >     Failed certificate data (unverified): subject
     > "...rju/L=test/O=test/CN=postgres/emailAddress=test@example.com",
     > serial number 14465968192346824308, issuer
     > "...rju/L=test/O=test/CN=postgres/emailAddress=test@example.com"
    
    Reported also in
    
    https://stackoverflow.com/questions/79657806/why-postgres-17-cert-authentication-fails-in-windows
    
    Andrus.
    
  2. Re: tlsv1 alert unknown ca error on cert authentication

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-06-08T16:14:07Z

    Andrus <kobruleht2@hot.ee> writes:
    > Observed:
    
    >>> pg_dump: error: connection to server at "localhost" (::1), port 5432
    >>> failed: SSL error: tlsv1 alert unknown ca
    
    > Postgres log contains:
    
    >>> [unknown] ::1 [unknown] LOG:  could not accept SSL connection:
    >>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
    >>> certificate verification failed at depth 0: self-signed certificate.
    
    Hm.  This example works fine for me on RHEL8.  Evidently your
    openssl installation is set up to reject self-signed certificates
    by default.  I note that in my installation, /etc/pki/tls/openssl.cnf
    contains
    
    [ req ]
    ...
    x509_extensions	= v3_ca	# The extensions to add to the self signed cert
    ...
    [ v3_ca ]
    # Extensions for a typical CA
    ...
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign
    
    Perhaps in your configuration file, that option is active?
    
    			regards, tom lane
    
    
    
    
  3. Re: tlsv1 alert unknown ca error on cert authentication

    Andrus <kobruleht2@hot.ee> — 2025-06-09T07:34:47Z

    Hi!
    
    >Hm.  This example works fine for me on RHEL8.  Evidently your openssl installation is set up to reject self-signed certificates by 
    default.
    
    Tried with RapidSSL cert for user varukoopia. Error message is the same.
    
    > I note that in my installation, /etc/pki/tls/openssl.cnf
    > contains
    >
    > [ req ]
    > ...
    > x509_extensions	= v3_ca	# The extensions to add to the self signed cert
    > ...
    > [ v3_ca ]
    > # Extensions for a typical CA
    > ...
    > # Key usage: this is typical for a CA certificate. However since it will
    > # prevent it being used as an test self-signed certificate it is best
    > # left out by default.
    > # keyUsage = cRLSign, keyCertSign
    >
    > Perhaps in your configuration file, that option is active?
    
    It is not active.
    
    Tried self signed cert for user varukoopia, but error message is the same.
    
    Tried with
    
    log_min_messages = debug5
    
    but log does not contain more information about error
    
    Certs used and openssl conf were sent to Tom as message attachments.
    
    Andrus
    
    
  4. Re: tlsv1 alert unknown ca error on cert authentication

    Jacob Champion <jacob.champion@enterprisedb.com> — 2025-06-09T15:39:17Z

    On Sun, Jun 8, 2025 at 9:14 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > Hm.  This example works fine for me on RHEL8.  Evidently your
    > openssl installation is set up to reject self-signed certificates
    > by default.
    
    I wonder if this setup is somewhat undefined/underdefined behavior.
    
    Andrus, if I understand correctly, you have
    - two certificates (one client, one server _and_ CA)
    - with the same(!) Subject, according to the logs
    - one signed the other (so it's "self-signed")
    - one is marked CA, one is not
    
    I have no idea how OpenSSL or the RFCs resolve this situation. Do you
    really intend to have the CA share the same Subject as the client?
    
    --Jacob
    
    
    
    
  5. Re: tlsv1 alert unknown ca error on cert authentication

    Andrus <kobruleht2@hot.ee> — 2025-06-09T20:40:34Z

    Hi!
    
    > I wonder if this setup is somewhat undefined/underdefined behavior.
    >
    > Andrus, if I understand correctly, you have
    > - two certificates (one client, one server _and_ CA)
    > - with the same(!) Subject, according to the logs
    > - one signed the other (so it's "self-signed")
    > - one is marked CA, one is not
    >
    > I have no idea how OpenSSL or the RFCs resolve this situation. Do you
    > really intend to have the CA share the same Subject as the client?
    
    No. It was mistake. You can close this bug report as invalid.
    
    Andrus.