Skip to content
Latchkey

Neon "SSL connection required" (sslmode=require) in CI

Neon rejects any unencrypted connection. If DATABASE_URL omits sslmode=require or the client disables TLS, the server refuses the connection with an SSL-required error before any query runs.

What this error means

A CI connection to Neon fails with "no pg_hba.conf entry for host ..., no encryption" or the driver reports the server requires SSL. It happens only against Neon, not a local Postgres.

psql
psql: error: connection to server failed: FATAL:  no pg_hba.conf entry for host
"10.0.0.5", user "neondb_owner", database "neondb", no encryption

Common causes

The connection string omits sslmode=require

A URL copied without the SSL parameter tells the client to connect in plaintext, which Neon refuses.

The client library defaults TLS off

Some drivers default to no SSL unless configured, so even a correct host fails until TLS is enabled.

How to fix it

Add sslmode=require to the URL

  1. Append ?sslmode=require (or &sslmode=require) to DATABASE_URL.
  2. For drivers that ignore the URL param, set the SSL option explicitly.
  3. Re-run the connection step.
.github/workflows/ci.yml
DATABASE_URL=postgres://user:pass@ep-cool-123-pooler.us-east-2.aws.neon.tech/neondb?sslmode=require

Enable TLS in the client options

When the driver does not read the URL parameter, pass an ssl option so the handshake uses TLS.

db.js
new Pool({ connectionString: process.env.DATABASE_URL, ssl: { rejectUnauthorized: true } })

How to prevent it

  • Keep sslmode=require in every Neon connection string.
  • Set the driver SSL option for libraries that ignore URL params.
  • Test the connection string in CI, where the network path differs from local.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →