DEV Community

javier ramĂ­rez
javier ramĂ­rez

Posted on

🔐 Using TLS with PgBouncer for QuestDB

If you're putting PgBouncer in front of QuestDB to enable TLS, you might run into a confusing error:

closing because: server refused SSL
Enter fullscreen mode Exit fullscreen mode

Here’s what’s going on — and how to fix it.


đŸ§© The Setup

You likely have a pgbouncer.ini that looks something like this:

[databases]
questdb = host=127.0.0.1 port=8812 dbname=questdb user=admin password=secret

[pgbouncer]
listen_addr = 127.0.0.1
listen_port = 5432
auth_type = trust

client_tls_sslmode = require
client_tls_key_file = /path/pgbouncer.key
client_tls_cert_file = /path/pgbouncer.crt
client_tls_ca_file = /etc/ssl/cert.pem

server_tls_sslmode = require
Enter fullscreen mode Exit fullscreen mode

You then launch PgBouncer:

pgbouncer ./pgbouncer.ini
Enter fullscreen mode Exit fullscreen mode

And try connecting like this:

psql "host=127.0.0.1 port=5432 dbname=questdb user=admin sslmode=require"
Enter fullscreen mode Exit fullscreen mode

But the connection fails with:

closing because: server refused SSL
Enter fullscreen mode Exit fullscreen mode

💡 What’s Going Wrong?

QuestDB (Open Source) does not support TLS over the PostgreSQL wire protocol.

So when PgBouncer tries to connect to QuestDB using server_tls_sslmode = require, the QuestDB server responds with “refused SSL.”


✅ The Fix: Disable TLS Between PgBouncer and QuestDB

Update your pgbouncer.ini config like so:

-server_tls_sslmode = require
+server_tls_sslmode = disable
Enter fullscreen mode Exit fullscreen mode

This keeps TLS enabled from the client to PgBouncer, but disables it between PgBouncer and QuestDB, which is necessary for compatibility.


🔐 TLS Path Overview

Connection TLS Enabled? PgBouncer Config
Client → PgBouncer ✅ Yes client_tls_sslmode = require
PgBouncer → QuestDB ❌ No server_tls_sslmode = disable

This lets you offer encrypted connections to clients, even if QuestDB itself doesn’t handle TLS.


📝 Final Thoughts

  • QuestDB OSS doesn’t support TLS on the PostgreSQL wire protocol.
  • You can terminate TLS at PgBouncer.
  • If you need full end-to-end encryption, you’ll need QuestDB Enterprise.

This setup is ideal for local or internal deployments where PgBouncer acts as a secure gateway to QuestDB.

Top comments (0)