pg-native error, certificate could not be obtained, no SSL error reported

Hi there,

There are a few things that I could suggest here:

1. Make sure your connection string is properly configured to use SSL. You might want to include sslmode and other related options:

   const conString = "postgres://username:password@host:5432/dbname?sslmode=require";
   const client = new pg.native.Client(conString); client.connectSync();
   

2. Sometimes, the issue might be related to an outdated version of pg-native or the underlying libpq library. Update them to the latest stable version if they’re not already updated.

3. You may need to include the AWS RDS SSL root certificate in your connection configuration. You can download the RDS root certificate from the Amazon documentation.

   Here is an example of how you might include it in your connection:

   const conString = "postgres://username:password@host:5432/dbname?ssl=true&sslmode=require&sslrootcert=path/to/rds-combined-ca-bundle.pem";
   const client = new pg.native.Client(conString);
   client.connectSync();
   

If this still does not work, can you share the Node.js code snippet that you are using to establish the connection?

Alternatively, I could suggest using a Managed Postgres Database with DigitalOcean instead of an AWS RDS instance. This would also benefit the speed of your application as it will reduce the network latency for every single database connection that your application will make.

Best,

Bobby

After doing all sorts of deep dives and wasting about 10 hours on this, I finally figured out the issue: the OpenSSL version.

It turns out that OpenSSL 1.1.1 introduced TLS 1.3, which has a quirk about how & when the server’s certificate is presented to the client during a handshake. PostgresQL’s libpq interface calls the SSL_get_peer_certificate and expects a certificate to be presented, but the function returns NULL, which is why libpq throws that error. However, since it’s a timing issue and not an actual “error” as such, there’s no error code that gets returned; hence, the no SSL error reported message.

The reason I spent more hours than I needed to on this is that I was tearing my hair out trying to figure out why the psql command was working fine, as well as the OpenSSL handshake (the server was always presenting the certificate):

$ openssl s_client -connect x.x.x.x:5432 -servername dbserver.domain.com

My OpenSSL version on the server was quite recent as well:

$ openssl version
OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)

But it turns out that Node.js embeds its own version of the OpenSSL libraries instead of depending on those provided by the system. When I upgraded my Node.js version to something v18.x or beyond, the connection started working magically.

I finally learned how to check the OpenSSL version that comes with a Node.js version:

$ node -p process.versions.openssl
1.1.1t

It turns out that every Node.js version from v8.x up until v18.x uses some version of OpenSSL v1.1.1, which is why this was happening. Node v18.x and beyond use OpenSSL v3.x, where this issue is fixed.

So, the solution is either to upgrade to Node.js v18.x+, or compile your own Node.js version that includes the 3.x version of OpenSSL.