Andrus <kobruleht2@hot.ee> writes:
> Observed:
>>> pg_dump: error: connection to server at "localhost" (::1), port 5432
>>> failed: SSL error: tlsv1 alert unknown ca
> Postgres log contains:
>>> [unknown] ::1 [unknown] LOG: could not accept SSL connection:
>>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
>>> certificate verification failed at depth 0: self-signed certificate.
Hm. This example works fine for me on RHEL8. Evidently your
openssl installation is set up to reject self-signed certificates
by default. I note that in my installation, /etc/pki/tls/openssl.cnf
contains
[ req ]
...
x509_extensions = v3_ca # The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
Perhaps in your configuration file, that option is active?
regards, tom lane
