Re: tlsv1 alert unknown ca error on cert authentication

Andrus <kobruleht2@hot.ee>

From: Andrus <kobruleht2@hot.ee>
To: pgsql-bugs@lists.postgresql.org
Date: 2025-06-09T07:34:47Z
Lists: pgsql-bugs
Hi!

>Hm.  This example works fine for me on RHEL8.  Evidently your openssl installation is set up to reject self-signed certificates by 
default.

Tried with RapidSSL cert for user varukoopia. Error message is the same.

> I note that in my installation, /etc/pki/tls/openssl.cnf
> contains
>
> [ req ]
> ...
> x509_extensions	= v3_ca	# The extensions to add to the self signed cert
> ...
> [ v3_ca ]
> # Extensions for a typical CA
> ...
> # Key usage: this is typical for a CA certificate. However since it will
> # prevent it being used as an test self-signed certificate it is best
> # left out by default.
> # keyUsage = cRLSign, keyCertSign
>
> Perhaps in your configuration file, that option is active?

It is not active.

Tried self signed cert for user varukoopia, but error message is the same.

Tried with

log_min_messages = debug5

but log does not contain more information about error

Certs used and openssl conf were sent to Tom as message attachments.

Andrus