PostgreSQL fails to start when SSL is enabled but the server certificate file (server.crt) is missing, unreadable, or incorrectly configured. This error prevents any SSL connections from being established. Ensure the certificate file exists in the correct location with proper permissions.
When PostgreSQL is configured with SSL/TLS enabled (ssl = on in postgresql.conf), the server attempts to load the server certificate file (server.crt) and private key (server.key) during startup. If PostgreSQL cannot find or read these files, the server will fail to start with this error. The server certificate is essential for establishing secure connections to the database—without it, SSL/TLS connections cannot be negotiated. This is a startup failure, not a runtime error, so the database becomes completely unavailable until resolved.
If SSL is not required for your use case, the simplest solution is to disable it:
ssl = offEdit postgresql.conf in the PGDATA directory (usually /var/lib/postgresql/data or /etc/postgresql/) and set ssl = off. Then restart PostgreSQL. This is appropriate for development environments or systems using other security measures.
Check if the server.crt and server.key files exist in the expected location (PGDATA directory by default):
ls -la /var/lib/postgresql/data/server.crt
ls -la /var/lib/postgresql/data/server.keyIf using custom paths, check the ssl_cert_file and ssl_key_file values in postgresql.conf:
grep "ssl_cert_file\|ssl_key_file" /var/lib/postgresql/data/postgresql.confIf files don't exist, you need to generate self-signed certificates or restore them from backup (steps below).
If certificates don't exist, create a self-signed certificate valid for 365 days. Replace "dbhost.yourdomain.com" with your actual hostname:
openssl req -new -x509 -days 365 -nodes -text -out server.crt \
-keyout server.key -subj "/CN=dbhost.yourdomain.com"On Linux/macOS, run this in a temporary directory, then move files to PGDATA:
mv server.crt /var/lib/postgresql/data/
mv server.key /var/lib/postgresql/data/For Docker PostgreSQL containers, run this command inside the container or mount the certificates from the host.
PostgreSQL requires strict permissions on certificate files for security. Set ownership and permissions correctly:
sudo chown postgres:postgres /var/lib/postgresql/data/server.crt
sudo chown postgres:postgres /var/lib/postgresql/data/server.key
sudo chmod 600 /var/lib/postgresql/data/server.crt
sudo chmod 600 /var/lib/postgresql/data/server.keyThe postgres user must own the files, and they should be readable/writable only by the postgres user (0600 mode). Never make these files world-readable or group-readable.
Ensure the certificate is in PEM format (text-based, starts with "-----BEGIN CERTIFICATE-----"):
head -1 /var/lib/postgresql/data/server.crtShould output:
-----BEGIN CERTIFICATE-----For server.key, it should start with:
-----BEGIN PRIVATE KEY-----If the file is binary or corrupted, regenerate it using the openssl command from step 3.
Ensure postgresql.conf has correct ssl_cert_file and ssl_key_file settings. Default values assume files are in PGDATA:
grep -A 5 "^ssl = " /var/lib/postgresql/data/postgresql.confIf using custom paths, verify they're absolute paths:
ssl = on
ssl_cert_file = '/var/lib/postgresql/data/server.crt'
ssl_key_file = '/var/lib/postgresql/data/server.key'After editing, restart PostgreSQL:
sudo systemctl restart postgresql
# or for Docker:
docker restart <container_id>Certificate Authority (CA) chains: If using certificates signed by a CA, the server.crt file must contain the full certificate chain—the server's certificate first, followed by intermediate CA certificates. The private key in server.key must match the certificate in server.crt or PostgreSQL will refuse to start.
For production systems, consider using certificates from Let's Encrypt or your organization's CA. Self-signed certificates are appropriate for development and testing but will trigger warnings in client SSL verification modes.
Docker deployments: If running PostgreSQL in Docker, either mount pre-generated certificates as volumes or generate them in an initialization script. Ensure PGDATA permissions are 700 and certificate files are 600.
Rootless PostgreSQL: If running PostgreSQL without root privileges (rootless containers or unprivileged systemd services), ensure the postgres user can read certificate files.
SSL mode compatibility: Client libraries and applications may require specific SSL modes (require, verify-ca, verify-full). Mismatches between server certificate validity and client SSL requirements can also cause connection failures. Test connections with psql using -h (TCP, not Unix socket) to verify SSL negotiation works.
insufficient columns in unique constraint for partition key
How to fix "insufficient columns in unique constraint for partition key" in PostgreSQL
ERROR 42501: must be owner of table
How to fix "must be owner of table" in PostgreSQL
trigger cannot change partition destination
How to fix "Trigger cannot change partition destination" in PostgreSQL
SSL error: certificate does not match host name
SSL error: certificate does not match host name in PostgreSQL
No SSL connection
No SSL connection to PostgreSQL