Participants
Andrus
Andrus
Tom Lane
Tom Lane
Jacob Champion
Jacob Champion
Attachments
Show all attachments
Thread Outline
#1...#2
AndrusTom Lane
Jun 08, 2025
#1AndrusAndrus
Jun 08, 2025
#2Tom LaneTom Laneto Andrus (#1)
Jun 08, 2025
#3AndrusAndrusto Tom Lane (#2)
Jun 09, 2025
#4...#5
Jacob ChampionAndrus
to Tom Lane (#2)
Jun 09, 2025
#4Jacob ChampionJacob Championto Tom Lane (#2)
Jun 09, 2025
#5AndrusAndrusto Jacob Champion (#4)
Jun 09, 2025

tlsv1 alert unknown ca error on cert authentication

Started by Andrus10 months ago5 messagesbugs
Jump to latest
#1Andrus
Andrus
kobruleht2@hot.ee

Steps to reproduce:

1. Install Postgres 17.5 and OpenSsl on Windows 11

2. Run the following commands. Enter `postgres` as common name on client
cert creation:

   ```sh
   openssl req -new -x509 -days 365 -nodes -out server.crt -keyout
server.key
   openssl req -new -nodes -out client.csr -keyout client.key
   openssl x509 -req -in client.csr -CA server.crt -CAkey server.key
-CAcreateserial -out client.crt -days 365
    ```

3. Copy files to server data directory:

    ```sh
    copy server.key "C:\Program Files\PostgreSQL\17\data"
    copy server.crt "C:\Program Files\PostgreSQL\17\data\root.crt"
    copy server.crt "C:\Program Files\PostgreSQL\17\data"

4. Add the following lines to top of `pg_hba.conf`:

       hostssl all postgres ::1/0 cert
       hostssl all postgres 0.0.0.0/0 cert

5. Add the following lines to end of `postgresql.conf`:

       ssl = on
       ssl_ca_file = 'root.crt'
       ssl_cert_file = 'server.crt'
       ssl_key_file = 'server.key'

6. Re-start postgres service

7. Run commands

    ```sh
    set PGSSLCERT=client.crt
    set PGSSLKEY=client.key
    "C:\Program Files\PostgreSQL\17\bin\pg_dump" -f "test.backup" -F c
-h localhost -U postgres postgres

Observed:

pg_dump: error: connection to server at "localhost" (::1), port 5432
failed: SSL error: tlsv1 alert unknown ca

Postgres log contains:

[unknown] ::1 [unknown] LOG:  could not accept SSL connection:
certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
certificate verification failed at depth 0: self-signed certificate.
    Failed certificate data (unverified): subject
"...rju/L=test/O=test/CN=postgres/emailAddress=test@example.com",
serial number 14465968192346824308, issuer
"...rju/L=test/O=test/CN=postgres/emailAddress=test@example.com"

Reported also in

https://stackoverflow.com/questions/79657806/why-postgres-17-cert-authentication-fails-in-windows

Andrus.

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Andrus (#1)
Re: tlsv1 alert unknown ca error on cert authentication

Andrus <kobruleht2@hot.ee> writes:

Observed:

pg_dump: error: connection to server at "localhost" (::1), port 5432
failed: SSL error: tlsv1 alert unknown ca

Postgres log contains:

[unknown] ::1 [unknown] LOG:  could not accept SSL connection:
certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
certificate verification failed at depth 0: self-signed certificate.

Hm. This example works fine for me on RHEL8. Evidently your
openssl installation is set up to reject self-signed certificates
by default. I note that in my installation, /etc/pki/tls/openssl.cnf
contains

[ req ]
...
x509_extensions = v3_ca # The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

Perhaps in your configuration file, that option is active?

regards, tom lane

#3Andrus
Andrus
kobruleht2@hot.ee
In reply to: Tom Lane (#2)
Re: tlsv1 alert unknown ca error on cert authentication

Hi!

Hm. This example works fine for me on RHEL8. Evidently your openssl installation is set up to reject self-signed certificates by

default.

Tried with RapidSSL cert for user varukoopia. Error message is the same.

I note that in my installation, /etc/pki/tls/openssl.cnf
contains

[ req ]
...
x509_extensions = v3_ca # The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

Perhaps in your configuration file, that option is active?

It is not active.

Tried self signed cert for user varukoopia, but error message is the same.

Tried with

log_min_messages = debug5

but log does not contain more information about error

Certs used and openssl conf were sent to Tom as message attachments.

Andrus

#4Jacob Champion
Jacob Champion
jacob.champion@enterprisedb.com
In reply to: Tom Lane (#2)
Re: tlsv1 alert unknown ca error on cert authentication

On Sun, Jun 8, 2025 at 9:14 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Hm. This example works fine for me on RHEL8. Evidently your
openssl installation is set up to reject self-signed certificates
by default.

I wonder if this setup is somewhat undefined/underdefined behavior.

Andrus, if I understand correctly, you have
- two certificates (one client, one server _and_ CA)
- with the same(!) Subject, according to the logs
- one signed the other (so it's "self-signed")
- one is marked CA, one is not

I have no idea how OpenSSL or the RFCs resolve this situation. Do you
really intend to have the CA share the same Subject as the client?

--Jacob

#5Andrus
Andrus
kobruleht2@hot.ee
In reply to: Jacob Champion (#4)
Re: tlsv1 alert unknown ca error on cert authentication

Hi!

I wonder if this setup is somewhat undefined/underdefined behavior.

Andrus, if I understand correctly, you have
- two certificates (one client, one server _and_ CA)
- with the same(!) Subject, according to the logs
- one signed the other (so it's "self-signed")
- one is marked CA, one is not

I have no idea how OpenSSL or the RFCs resolve this situation. Do you
really intend to have the CA share the same Subject as the client?

No. It was mistake. You can close this bug report as invalid.

Andrus.

← Back to Topics