I am trying to setup TLS with pgbouncer in front of QuestBD Open Source.
My pgbouncer.ini looks like this
[databases]
questdb = host=127.0.0.1 port=8812 dbname=questdb user=admin password=quest
[pgbouncer]
listen_addr = 127.0.0.1
listen_port = 5432
auth_type = trust
auth_file = /Users/j/prj/misc/pgbouncer/userlist.txt
client_tls_sslmode = require
client_tls_key_file = /Users/j/prj/misc/pgbouncer/pgbouncer.key
client_tls_cert_file = /Users/j/prj/misc/pgbouncer/pgbouncer.crt
client_tls_ca_file = /etc/ssl/cert.pem
server_tls_sslmode = require
logfile = /Users/j/prj/misc/pgbouncer/pgbouncer.log
pidfile = /Users/j/prj/misc/pgbouncer/pgbouncer.pid
Then I start via pgbouncer ./pgbouncer.ini. All good until I try
psql "host=127.0.0.1 port=5432 dbname=questdb user=admin sslmode=require"
When I enter the password, I get this error:
2025-05-22 13:59:32.620 CEST [56119] LOG C-0x120030010: questdb/admin@127.0.0.1:54687 login attempt: db=questdb user=admin tls=TLSv1.3/TLS_AES_256_GCM_SHA384 replication=no
2025-05-22 13:59:32.620 CEST [56119] LOG S-0x120040010: questdb/admin@127.0.0.1:8812 new connection to server (from 127.0.0.1:54690)
2025-05-22 13:59:32.621 CEST [56119] LOG S-0x120040010: questdb/admin@127.0.0.1:8812 closing because: server refused SSL (age=0s)
For QuestDB Enterprise, there is native TLS support, so you could just connect directly or, if you want pgbouncer in the middle, via pgbouncer with your config. But QuestDB Open Source does not implement TLS on the pg-wire protocol, so TLS termination needs to be done at the pgbouncer level.
What this means is that you should change server_tls_sslmode = require to server_tls_sslmode = disable.
This will make your psql connect using TLS to pgbouncer, but pgbouncer will connect without TLS to your questdb instance. Please note that traffic will be unencrypted between pgbouncer and questdb.