Обсуждение: “tlsv1 alert iso-8859-1 ca” with PQconnectdb
Hi all,
I made following changes in my Postgres server which means I am enabling one way authentication: (Disabled Mutual authentication. Only client will authenticate server.)
hostssl all myuser 0.0.0.0/0 md5 clientcert=0
I am trying psql with following options where I am providing client certificates also. It is connected perfectly.
psql "host= 10.10.11.18 sslmode=verify-ca sslrootcert=em-ca-crt.pem sslcert=em-client-crt.pem sslkey=em-client-key.pem port=5433 user=postgres dbname=postgres"
Same when we used with C api (PQconnectdb((const char *)str);) it is failing with following error message.
“tlsv1 alert unknown ca”
Also we tried with Java test program. It is connecting properly. Can you please suggest what could be the reason?
Regards
Tarkeshwar
M Tarkeshwar Rao <m.tarkeshwar.rao@ericsson.com> writes: > I am trying psql with following options where I am providing client certificates also. It is connected perfectly. > psql "host= 10.10.11.18 sslmode=verify-ca sslrootcert=em-ca-crt.pem sslcert=em-client-crt.pem sslkey=em-client-key.pemport=5433 user=postgres dbname=postgres" You do realize that those certificate parameters are path names, right? > Same when we used with C api (PQconnectdb((const char *)str);) it is failing with following error message. > tlsv1 alert unknown ca <https://serverfault.com/questions/793260/what-does-tlsv1-alert-unknown-ca-mean> I think the most likely theory is that libpq is failing to load the root cert because the program's current working directory isn't the same as where you had been running psql. It does look like libpq will complain if the given files aren't readable, so maybe the true situation is that it's finding files by those names but they aren't the right ones. In any case, you generally want to put absolute pathnames into these connection parameters. regards, tom lane