Re: tlsv1 alert unknown ca error on cert authentication

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andrus <kobruleht2@hot.ee>, pgsql-bugs@lists.postgresql.org
Date: 2025-06-09T15:39:17Z
Lists: pgsql-bugs
On Sun, Jun 8, 2025 at 9:14 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Hm.  This example works fine for me on RHEL8.  Evidently your
> openssl installation is set up to reject self-signed certificates
> by default.

I wonder if this setup is somewhat undefined/underdefined behavior.

Andrus, if I understand correctly, you have
- two certificates (one client, one server _and_ CA)
- with the same(!) Subject, according to the logs
- one signed the other (so it's "self-signed")
- one is marked CA, one is not

I have no idea how OpenSSL or the RFCs resolve this situation. Do you
really intend to have the CA share the same Subject as the client?

--Jacob