What does "tlsv1 alert unknown ca" mean?
107,520
If the server sends you a TLS alert unknown ca like in this case then the server does not accept the client certificate you have send (-E my.pem
). One reason for this might be that you have used the wrong certificate. Another reason might be that you've used the correct certificate but failed to add the necessary chain certificates.
Related videos on Youtube
Author by
grasevski
Updated on September 18, 2022Comments
-
grasevski over 1 year
I am trying to do a curl request using a client certificate like so:
curl -E my.pem https://some.site
And I get the following error message:
curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
- What does this mean?
- Is this complaint coming from the server to which I am connecting, or my curl client?
- (How do I determine) what is the ca in this context?
- How do I make it such that the ca is known?
-
Admin almost 8 yearsFrom the curl manual: curl.haxx.se/docs/sslcerts.html
-
Admin almost 8 yearsI already read that but I still don't know. Could you humor me and answer one of my bullet points?
-
Admin almost 8 yearsEg is it client complaining, as opposed to server? yes or no will do.
-
Admin almost 4 years@Julie Pelletier: It is the other way around. The server validates the client's certificate.
-
Admin about 2 yearsThere could be also a issue on the server. For example when using ssl with postgres and the Common Name (
CN=pg.com
) for the CA cert is identical with theCN
for the pg server ssl cert, the same error will show up.