| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch> |
| Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: could not accept ssl connection tlsv1 alert unknown ca |
| Date: | 2025-01-30 17:50:48 |
| Message-ID: | 3294022.1738259448@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch> writes:
> However, one client also configured some client certificates + "sslmode=prefer" which resulted in "could not accept ssl connection tlsv1 alert unknown ca".
I'm no expert, but I think this typically means a missing or untrusted
intermediate certificate, that is no chain of trust to one of the
certs that your OpenSSL considers trusted.
> I always thought that Postgres does only validate certificates with "sslmode=verify-ca" and "sslmode=verify-full" => https://www.postgresql.org/docs/current/libpq-ssl.html
Those cause some additional checks to be made, but it's not like
you can expect a completely broken certificate to work without them.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Borisov | 2025-01-30 20:32:03 | Re: Using Expanded Objects other than Arrays from plpgsql |
| Previous Message | Zwettler Markus (OIZ) | 2025-01-30 17:21:02 | could not accept ssl connection tlsv1 alert unknown ca |