could not accept ssl connection tlsv1 alert unknown ca

From: "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch>
To: "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: could not accept ssl connection tlsv1 alert unknown ca
Date: 2025-01-30 17:21:02
Message-ID: GV0P278MB0099D57F417CC2985E16BDBB8BE92@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

We wanted to use pure ssl encryption without certificate validation.

We created and configured self-signed certificates at the postgres server, turned "sslmode=on" and advised our clients to use "sslmode=prefer". This worked very well.

However, one client also configured some client certificates + "sslmode=prefer" which resulted in "could not accept ssl connection tlsv1 alert unknown ca".

I always thought that Postgres does only validate certificates with "sslmode=verify-ca" and "sslmode=verify-full" => https://www.postgresql.org/docs/current/libpq-ssl.html

Did I get something wrong?

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2025-01-30 17:50:48 Re: could not accept ssl connection tlsv1 alert unknown ca
Previous Message Adrian Klaver 2025-01-30 16:45:52 Re: Ideas about presenting data coming from sensors