Configure SSL Mode

We use mandatory SSL encryption on our endpoint (this is called sslmode=require in libpq terminology). Note that this protects you against eavesdropping, but not against MITM attacks, since PostgreSQL clients by default don't verify the server certificate (verify-ca or verify-full).

In some cases your client may require full verification of the certificate presented by Splitgraph, e.g. with sslmode=require or sslmode=verify-ca.

You will need to trust the Root CA, and in some cases may need to generate a self signed cert for yourself.

You can download the Root CA (we use LetsEncrypt) here:

If you're using psql, you can download this file into ~/.postgresql/root.crt and specify sslmode=verify-ca in the connection URI, e.g.:

psql "postgres://$USERNAME:$"

Alternatively, you can specify a folder where to download the root cert, and include that location in the connection URI, e.g.: download it to ~/.splitgraph/ and then connect via:

psql "postgres://$USERNAME:$$HOME/.splitgraph/"

Getting the certificate with openssl

You can also get the root certificate using openssl. First, verify the certificate by running:

echo | openssl s_client -starttls postgres -connect -showcerts

You can then get the certificate by running:

echo | openssl s_client -starttls postgres -connect  2>/dev/null | openssl x509 > ~/.splitgraph/

On pre-1.1.1 versions of s_client that don't support PostgreSQL, you can get's certificate from HTTPS, since it presents the same certificate there:

echo | openssl s_client -connect  2>/dev/null | openssl x509