Prisma fails to establish a secure TLS/SSL connection to your database, typically due to misconfigured connection string parameters, certificate validation issues, or incompatible SSL settings between your client and database server.
The P1011 error occurs when Prisma cannot successfully establish a TLS (Transport Layer Security) connection to your database. This is Prisma's way of indicating that the SSL/TLS handshake failed during the connection attempt. This error commonly appears when there's a mismatch between the TLS settings specified in your connection string and what the database server expects or supports. It can also occur when certificate validation fails, such as when using self-signed certificates without proper configuration, or when the database requires specific TLS versions or cipher suites that aren't compatible with your Prisma setup. For SQL Server databases, the error often relates to the `trustServerCertificate` and `encrypt` parameters. For PostgreSQL, it typically involves `sslmode` settings and certificate path configurations. The specific underlying cause varies by database provider and your security requirements.
First, examine your DATABASE_URL in your .env file or environment variables:
# Check your connection string
echo $DATABASE_URLLook for SSL/TLS related parameters. Common parameters include:
- PostgreSQL: sslmode, sslcert, sslrootcert
- SQL Server: encrypt, trustServerCertificate
- MySQL: sslmode, ssl-ca, ssl-cert
The absence or misconfiguration of these parameters is often the root cause.
If you're using SQL Server with a self-signed certificate or in a development environment, add trustServerCertificate=true:
# .env
DATABASE_URL="sqlserver://localhost:1433;database=mydb;trustServerCertificate=true;encrypt=true"For Azure SQL Database with properly signed certificates:
DATABASE_URL="sqlserver://myserver.database.windows.net:1433;database=mydb;trustServerCertificate=false;encrypt=true"Note: Only use trustServerCertificate=true when you trust the server or are in development. In production with proper certificates, use false.
PostgreSQL requires explicit SSL mode configuration. Update your connection string with the appropriate sslmode:
# .env - For databases that support SSL but don't require it
DATABASE_URL="postgresql://user:password@localhost:5432/mydb?sslmode=prefer"
# For databases that require SSL (like many cloud providers)
DATABASE_URL="postgresql://user:password@localhost:5432/mydb?sslmode=require"
# For databases requiring certificate verification
DATABASE_URL="postgresql://user:password@localhost:5432/mydb?sslmode=verify-ca&sslrootcert=./ca-certificate.crt"Available sslmode values (from least to most secure):
- disable: No SSL
- prefer: Try SSL, fall back to non-SSL
- require: Require SSL but don't verify certificates
- verify-ca: Require SSL and verify CA
- verify-full: Require SSL and verify hostname
For cloud database providers that require certificate verification, download the certificate bundle:
AWS RDS/Aurora:
# Download RDS certificate bundle
curl -o rds-ca-bundle.pem https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
# Update connection string
DATABASE_URL="postgresql://user:[email protected]:5432/dbname?sslmode=require&sslrootcert=./rds-ca-bundle.pem"Google Cloud SQL:
# Download server-ca.pem from Cloud SQL instance
# Then reference it in your connection string
DATABASE_URL="postgresql://user:password@host:5432/db?sslmode=verify-ca&sslrootcert=./server-ca.pem"Ensure the certificate file is accessible to your application at runtime.
After updating your connection string, test the connection:
# Test database connection
npx prisma db pull --force
# Or run a migration to verify
npx prisma migrate dev --name test_connectionIf the CLI command succeeds, your TLS configuration is correct. If you still see P1011, review the error details for specific TLS failure reasons.
Some P1011 errors have been resolved in newer Prisma versions. Check your version and upgrade if needed:
# Check current version
npx prisma --version
# Update Prisma dependencies
npm install @prisma/client@latest prisma@latest
# Regenerate Prisma Client
npx prisma generateAfter upgrading, test your connection again. Some certificate authority and TLS protocol compatibility issues have been fixed in recent releases.
Development vs Production SSL Configuration
In development, you might be tempted to disable SSL verification entirely. While trustServerCertificate=true (SQL Server) or sslmode=disable (PostgreSQL) will work, avoid committing these settings to production configuration. Instead, use environment-specific connection strings.
SSH Tunnels and TLS
If you're connecting through an SSH tunnel, the TLS connection happens inside the tunnel. Some users report P1011 errors when Prisma attempts direct TLS while the tunnel already provides encryption. In these cases, you may need to use sslmode=disable or sslmode=prefer for the connection string, since the SSH tunnel itself provides the security layer.
Certificate Authority Updates
AWS RDS periodically updates certificate authorities. If you're using an older RDS CA certificate (like rds-ca-2019), and AWS has rotated to newer CAs (like rds-ca-ecc384-g1), you may encounter P1011 errors. Always use the latest certificate bundle from your provider.
Prisma CLI vs Generated Client
There's a known difference between how the Prisma CLI and the generated client handle certificates:
- Prisma CLI: Can use sslcert= parameter or sslrootcert= if OS trusts the certificate
- Generated client with adapters (like @prisma/adapter-pg): Must use sslrootcert= parameter
If you see different behavior between npx prisma migrate and your application runtime, check that both are using compatible SSL parameters.
Security Warning
Never use sslaccept=accept_invalid_certs in production. This parameter disables all certificate validation and makes your connection vulnerable to man-in-the-middle attacks. Only use it temporarily in development to diagnose issues, then implement proper certificate validation.
P1013: The provided database string is invalid
The provided database string is invalid
P1000: Authentication failed against database server
Authentication failed against database server
P1010: User was denied access on the database
How to fix "P1010: User was denied access on the database" in Prisma
P5008: Usage exceeded, upgrade your plan (Accelerate)
How to fix "Usage exceeded, upgrade your plan" in Prisma Accelerate
P3021: Foreign keys cannot be created on this database
How to fix 'P3021: Foreign keys cannot be created on this database' in Prisma