Re: tlsv1 alert iso-8859-1 ca error on cert authentication

Andrus <kobruleht2@hot.ee> writes:
> Observed:

>>> pg_dump: error: connection to server at "localhost" (::1), port 5432
>>> failed: SSL error: tlsv1 alert unknown ca

> Postgres log contains:

>>> [unknown] ::1 [unknown] LOG:  could not accept SSL connection:
>>> certificate verify failed [unknown] ::1 [unknown] DETAIL: Client
>>> certificate verification failed at depth 0: self-signed certificate.

Hm.  This example works fine for me on RHEL8.  Evidently your
openssl installation is set up to reject self-signed certificates
by default.  I note that in my installation, /etc/pki/tls/openssl.cnf
contains

[ req ]
...
x509_extensions    = v3_ca    # The extensions to add to the self signed cert
...
[ v3_ca ]
# Extensions for a typical CA
...
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

Perhaps in your configuration file, that option is active?

            regards, tom lane