If you're putting PgBouncer in front of QuestDB to enable TLS, you might run into a confusing error:
closing because: server refused SSL
Hereâs whatâs going on â and how to fix it.
𧩠The Setup
You likely have a pgbouncer.ini that looks something like this:
[databases]
questdb = host=127.0.0.1 port=8812 dbname=questdb user=admin password=secret
[pgbouncer]
listen_addr = 127.0.0.1
listen_port = 5432
auth_type = trust
client_tls_sslmode = require
client_tls_key_file = /path/pgbouncer.key
client_tls_cert_file = /path/pgbouncer.crt
client_tls_ca_file = /etc/ssl/cert.pem
server_tls_sslmode = require
You then launch PgBouncer:
pgbouncer ./pgbouncer.ini
And try connecting like this:
psql "host=127.0.0.1 port=5432 dbname=questdb user=admin sslmode=require"
But the connection fails with:
closing because: server refused SSL
đĄ Whatâs Going Wrong?
QuestDB (Open Source) does not support TLS over the PostgreSQL wire protocol.
So when PgBouncer tries to connect to QuestDB using server_tls_sslmode = require, the QuestDB server responds with ârefused SSL.â
â The Fix: Disable TLS Between PgBouncer and QuestDB
Update your pgbouncer.ini config like so:
-server_tls_sslmode = require
+server_tls_sslmode = disable
This keeps TLS enabled from the client to PgBouncer, but disables it between PgBouncer and QuestDB, which is necessary for compatibility.
đ TLS Path Overview
| Connection | TLS Enabled? | PgBouncer Config |
|---|---|---|
| Client â PgBouncer | â Yes | client_tls_sslmode = require |
| PgBouncer â QuestDB | â No | server_tls_sslmode = disable |
This lets you offer encrypted connections to clients, even if QuestDB itself doesnât handle TLS.
đ Final Thoughts
- QuestDB OSS doesnât support TLS on the PostgreSQL wire protocol.
- You can terminate TLS at PgBouncer.
- If you need full end-to-end encryption, youâll need QuestDB Enterprise.
This setup is ideal for local or internal deployments where PgBouncer acts as a secure gateway to QuestDB.
Top comments (0)