What does "tlsv1 alert unknown ca" mean?

ssl ssl-certificate openssl certificate-authority curl

107,520

If the server sends you a TLS alert unknown ca like in this case then the server does not accept the client certificate you have send (-E my.pem). One reason for this might be that you have used the wrong certificate. Another reason might be that you've used the correct certificate but failed to add the necessary chain certificates.

107,520

grasevski

Updated on September 18, 2022

Comments

grasevski over 1 year
I am trying to do a curl request using a client certificate like so:
```
curl -E my.pem https://some.site
```
And I get the following error message:
```
curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
```
- What does this mean?
- Is this complaint coming from the server to which I am connecting, or my curl client?
- (How do I determine) what is the ca in this context?
- How do I make it such that the ca is known?
- Admin almost 8 years
  
  From the curl manual: curl.haxx.se/docs/sslcerts.html
- Admin almost 8 years
  
  I already read that but I still don't know. Could you humor me and answer one of my bullet points?
- Admin almost 8 years
  
  Eg is it client complaining, as opposed to server? yes or no will do.
- Admin almost 4 years
  
  @Julie Pelletier: It is the other way around. The server validates the client's certificate.
Admin about 2 years

There could be also a issue on the server. For example when using ssl with postgres and the Common Name (CN=pg.com) for the CA cert is identical with the CN for the pg server ssl cert, the same error will show up.