If you're putting PgBouncer in front of QuestDB to enable TLS, you might run into a confusing error:
closing because: server refused SSL
Here’s what’s going on — and how to fix it.
🧩 The Setup
You likely have a pgbouncer.ini that looks something like this:
[databases]
questdb = host=127.0.0.1 port=8812 dbname=questdb user=admin password=secret
[pgbouncer]
listen_addr = 127.0.0.1
listen_port = 5432
auth_type = trust
client_tls_sslmode = require
client_tls_key_file = /path/pgbouncer.key
client_tls_cert_file = /path/pgbouncer.crt
client_tls_ca_file = /etc/ssl/cert.pem
server_tls_sslmode = require
You then launch PgBouncer:
pgbouncer ./pgbouncer.ini
And try connecting like this:
psql "host=127.0.0.1 port=5432 dbname=questdb user=admin sslmode=require"
But the connection fails with:
closing because: server refused SSL
💡 What’s Going Wrong?
QuestDB (Open Source) does not support TLS over the PostgreSQL wire protocol.
So when PgBouncer tries to connect to QuestDB using server_tls_sslmode = require, the QuestDB server responds with “refused SSL.”
✅ The Fix: Disable TLS Between PgBouncer and QuestDB
Update your pgbouncer.ini config like so:
-server_tls_sslmode = require
+server_tls_sslmode = disable
This keeps TLS enabled from the client to PgBouncer, but disables it between PgBouncer and QuestDB, which is necessary for compatibility.
🔐 TLS Path Overview
| Connection | TLS Enabled? | PgBouncer Config |
|---|---|---|
| Client → PgBouncer | ✅ Yes | client_tls_sslmode = require |
| PgBouncer → QuestDB | ❌ No | server_tls_sslmode = disable |
This lets you offer encrypted connections to clients, even if QuestDB itself doesn’t handle TLS.
📝 Final Thoughts
- QuestDB OSS doesn’t support TLS on the PostgreSQL wire protocol.
- You can terminate TLS at PgBouncer.
- If you need full end-to-end encryption, you’ll need QuestDB Enterprise.
This setup is ideal for local or internal deployments where PgBouncer acts as a secure gateway to QuestDB.
Top comments (0)