Neon "SSL connection required" (sslmode=require) in CI
Neon rejects any unencrypted connection. If DATABASE_URL omits sslmode=require or the client disables TLS, the server refuses the connection with an SSL-required error before any query runs.
What this error means
A CI connection to Neon fails with "no pg_hba.conf entry for host ..., no encryption" or the driver reports the server requires SSL. It happens only against Neon, not a local Postgres.
psql: error: connection to server failed: FATAL: no pg_hba.conf entry for host
"10.0.0.5", user "neondb_owner", database "neondb", no encryptionCommon causes
The connection string omits sslmode=require
A URL copied without the SSL parameter tells the client to connect in plaintext, which Neon refuses.
The client library defaults TLS off
Some drivers default to no SSL unless configured, so even a correct host fails until TLS is enabled.
How to fix it
Add sslmode=require to the URL
- Append
?sslmode=require(or&sslmode=require) to DATABASE_URL. - For drivers that ignore the URL param, set the SSL option explicitly.
- Re-run the connection step.
DATABASE_URL=postgres://user:pass@ep-cool-123-pooler.us-east-2.aws.neon.tech/neondb?sslmode=requireEnable TLS in the client options
When the driver does not read the URL parameter, pass an ssl option so the handshake uses TLS.
new Pool({ connectionString: process.env.DATABASE_URL, ssl: { rejectUnauthorized: true } })How to prevent it
- Keep sslmode=require in every Neon connection string.
- Set the driver SSL option for libraries that ignore URL params.
- Test the connection string in CI, where the network path differs from local.