Re: tlsv1 alert unknown ca error on cert authentication
Andrus <kobruleht2@hot.ee>
From: Andrus <kobruleht2@hot.ee>
To: pgsql-bugs@lists.postgresql.org
Date: 2025-06-09T07:34:47Z
Lists: pgsql-bugs
Hi! >Hm. This example works fine for me on RHEL8. Evidently your openssl installation is set up to reject self-signed certificates by default. Tried with RapidSSL cert for user varukoopia. Error message is the same. > I note that in my installation, /etc/pki/tls/openssl.cnf > contains > > [ req ] > ... > x509_extensions = v3_ca # The extensions to add to the self signed cert > ... > [ v3_ca ] > # Extensions for a typical CA > ... > # Key usage: this is typical for a CA certificate. However since it will > # prevent it being used as an test self-signed certificate it is best > # left out by default. > # keyUsage = cRLSign, keyCertSign > > Perhaps in your configuration file, that option is active? It is not active. Tried self signed cert for user varukoopia, but error message is the same. Tried with log_min_messages = debug5 but log does not contain more information about error Certs used and openssl conf were sent to Tom as message attachments. Andrus