Certificate issue with convex self hosting with postgres
🪲Bug Report❔Advice
Description
I am setting up the self-hosted Docker image (ghcr.io/get-convex/convex-backend:latest) and I am trying to connect to a self hosted, native PostgreSQL instance running on the same server and subnet
My issue is that i cannot seem to connec to TLS / certificate issues. The Convex backend consistently refuses any connection due to a TLS handshake error (UnknownIssuer),
I have attempted to disable SSL on the client side and enforce plain-text on the server side, but the Convex backend appears to force a strict TLS handshake that cannot be bypassed.
Steps to Reproduce
Run ghcr.io/get-convex/convex-backend:latest via Docker Compose.
Set POSTGRES_URL to an external Postgres instance (e.g., postgres://user:pass@192.168.1.50:5432) that uses a self-signed certificate.
Error Logs
convex-backend | 2025-12-06T00:08:42.420497Z INFO postgres::connection: Postgres connection pool max size 128
convex-backend | 2025-12-06T00:08:42.459838Z ERROR common::errors: Caught error error ... error performing TLS handshake: invalid peer certificate: UnknownIssuer: invalid peer certificate: UnknownIssuer
convex-backend | Error: error performing TLS handshake: invalid peer certificate: UnknownIssuer
Attempted Fixes (All Failed)
I have tried the following configurations to bypass this, but the error persists identically:
First attempt as per the README
Environment Variable: Set DO_NOT_REQUIRE_SSL=1 in docker-compose.yml.
Other attempts on postgres side:
Connection String: Appended ?sslmode=disable to POSTGRES_URL.
Postgres Config: Configured pg_hba.conf on the server with hostnossl all all 0.0.0.0/0 md5 to force plain text.
Expected Behavior
Correct connection via plain text without attempting TLS.
Has anyone experienced this issue before?
I am setting up the self-hosted Docker image (ghcr.io/get-convex/convex-backend:latest) and I am trying to connect to a self hosted, native PostgreSQL instance running on the same server and subnet
My issue is that i cannot seem to connec to TLS / certificate issues. The Convex backend consistently refuses any connection due to a TLS handshake error (UnknownIssuer),
I have attempted to disable SSL on the client side and enforce plain-text on the server side, but the Convex backend appears to force a strict TLS handshake that cannot be bypassed.
Steps to Reproduce
Run ghcr.io/get-convex/convex-backend:latest via Docker Compose.
Set POSTGRES_URL to an external Postgres instance (e.g., postgres://user:pass@192.168.1.50:5432) that uses a self-signed certificate.
Error Logs
convex-backend | 2025-12-06T00:08:42.420497Z INFO postgres::connection: Postgres connection pool max size 128
convex-backend | 2025-12-06T00:08:42.459838Z ERROR common::errors: Caught error error ... error performing TLS handshake: invalid peer certificate: UnknownIssuer: invalid peer certificate: UnknownIssuer
convex-backend | Error: error performing TLS handshake: invalid peer certificate: UnknownIssuer
Attempted Fixes (All Failed)
I have tried the following configurations to bypass this, but the error persists identically:
First attempt as per the README
Environment Variable: Set DO_NOT_REQUIRE_SSL=1 in docker-compose.yml.
Other attempts on postgres side:
Connection String: Appended ?sslmode=disable to POSTGRES_URL.
Postgres Config: Configured pg_hba.conf on the server with hostnossl all all 0.0.0.0/0 md5 to force plain text.
Expected Behavior
Correct connection via plain text without attempting TLS.
Has anyone experienced this issue before?
