Re: tlsv1 alert unknown ca error on cert authentication
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andrus <kobruleht2@hot.ee>, pgsql-bugs@lists.postgresql.org
Date: 2025-06-09T15:39:17Z
Lists: pgsql-bugs
On Sun, Jun 8, 2025 at 9:14 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Hm. This example works fine for me on RHEL8. Evidently your > openssl installation is set up to reject self-signed certificates > by default. I wonder if this setup is somewhat undefined/underdefined behavior. Andrus, if I understand correctly, you have - two certificates (one client, one server _and_ CA) - with the same(!) Subject, according to the logs - one signed the other (so it's "self-signed") - one is marked CA, one is not I have no idea how OpenSSL or the RFCs resolve this situation. Do you really intend to have the CA share the same Subject as the client? --Jacob