What does "tlsv1 alert unknown ca" mean?

Question

I am trying to do a curl request using a client certificate like so:

curl -E my.pem https://some.site

And I get the following error message:

curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

What does this mean?
Is this complaint coming from the server to which I am connecting, or my curl client?
(How do I determine) what is the ca in this context?
How do I make it such that the ca is known?

From the curl manual: https://curl.haxx.se/docs/sslcerts.html — HBruijn, Aug 02 '16 at 04:40
I already read that but I still don't know. Could you humor me and answer one of my bullet points? — grasevski, Aug 02 '16 at 05:33
Eg is it client complaining, as opposed to server? yes or no will do. — grasevski, Aug 02 '16 at 05:34
@Julie Pelletier: It is the other way around. The server validates the client's certificate. — Filou, Jul 30 '20 at 08:21

score 36 · Accepted Answer · answered Aug 02 '16 at 07:42

36

If the server sends you a TLS alert unknown ca like in this case then the server does not accept the client certificate you have send (-E my.pem). One reason for this might be that you have used the wrong certificate. Another reason might be that you've used the correct certificate but failed to add the necessary chain certificates.

answered Aug 02 '16 at 07:42

Steffen Ullrich

13,227
27
39

5

There could be also a issue on the server. For example when using ssl with postgres and the Common Name (`CN=pg.com`) for the CA cert is **identical** with the `CN` for the pg server ssl cert, the same error will show up. – FireEmerald May 09 '22 at 13:51

What does "tlsv1 alert unknown ca" mean?

1 Answers1