Re: “tlsv1 alert unknown ca” with PQconnectdb

M Tarkeshwar Rao <m(dot)tarkeshwar(dot)rao(at)ericsson(dot)com> writes:
> I am trying psql with following options where I am providing client certificates also. It is connected perfectly.
> psql "host= 10.10.11.18 sslmode=verify-ca sslrootcert=em-ca-crt.pem sslcert=em-client-crt.pem sslkey=em-client-key.pem port=5433 user=postgres dbname=postgres"

You do realize that those certificate parameters are path names, right?

> Same when we used with C api (PQconnectdb((const char *)str);) it is failing with following error message.
> “tlsv1 alert unknown ca” <https://serverfault.com/questions/793260/what-does-tlsv1-alert-unknown-ca-mean>

I think the most likely theory is that libpq is failing to load the root
cert because the program's current working directory isn't the same as
where you had been running psql. It does look like libpq will complain
if the given files aren't readable, so maybe the true situation is that
it's finding files by those names but they aren't the right ones.

In any case, you generally want to put absolute pathnames into these
connection parameters.

regards, tom lane