Skip to main content
This guide helps you diagnose and resolve common SSL/TLS database connection issues in CreditNexus.

Quick Diagnostics

Check SSL Status

Use the health endpoint to check SSL connection status:
Expected response for healthy SSL connection:

Validate Configuration

Check SSL configuration programmatically:

Common Issues and Solutions

Issue 1: SSL Connection Failed

Error Message:
Possible Causes:
  1. PostgreSQL server doesn’t have SSL enabled
  2. SSL mode mismatch between client and server
  3. Certificate files are missing or inaccessible
  4. Network/firewall blocking SSL connections
Solutions:
  1. Verify PostgreSQL SSL is enabled:
  2. Check PostgreSQL configuration:
  3. Verify certificate files exist:
  4. Check certificate permissions:
  5. Test with psql:

Issue 2: Certificate Verification Failed

Error Message:
Possible Causes:
  1. CA certificate doesn’t match server certificate
  2. Certificate has expired
  3. Certificate chain is incomplete
  4. Hostname mismatch (for verify-full mode)
Solutions:
  1. Verify CA certificate path:
  2. Check certificate expiration:
  3. Verify certificate matches server:
  4. Check certificate chain:
  5. Try verify-ca mode (for testing):
  6. Check hostname in certificate:

Issue 3: Connection Timeout with SSL

Error Message:
Possible Causes:
  1. Network connectivity issues
  2. Firewall blocking SSL connections
  3. PostgreSQL not listening on SSL port
  4. SSL handshake failing
Solutions:
  1. Test network connectivity:
  2. Check firewall rules:
  3. Verify PostgreSQL is listening:
  4. Test SSL handshake:
  5. Check PostgreSQL logs:

Issue 4: SSL Required but Not Available

Error Message:
Possible Causes:
  1. PostgreSQL server doesn’t support SSL
  2. SSL mode is set to disable
  3. Connection falling back to non-SSL
Solutions:
  1. Check SSL requirement setting:
  2. Verify SSL mode:
  3. Check PostgreSQL SSL support:
  4. Temporarily allow fallback (for debugging):

Issue 5: Auto-Generation Failed

Error Message:
Possible Causes:
  1. Certificate directory doesn’t exist
  2. Insufficient permissions
  3. Disk space full
  4. Certificate generation library missing
Solutions:
  1. Check certificate directory:
  2. Fix permissions:
  3. Check disk space:
  4. Verify cryptography library:
  5. Manually generate certificates:

Issue 6: Client Certificate Issues (Mutual TLS)

Error Message:
Possible Causes:
  1. Client certificate not provided
  2. Certificate and key mismatch
  3. Certificate not signed by CA
  4. Certificate expired
Solutions:
  1. Verify both certificate and key are provided:
  2. Check certificate and key match:
  3. Verify certificate is signed by CA:
  4. Check certificate expiration:

Debugging Commands

PostgreSQL SSL Status

Certificate Inspection

Connection Testing

Configuration Validation

Logging and Monitoring

Enable Debug Logging

Check Application Logs

Monitor SSL Health

Performance Issues

SSL Handshake Overhead

SSL adds minimal overhead (~1-2ms per connection). If experiencing performance issues:
  1. Use connection pooling:
    • SSL connections are reused in the pool
    • Reduces handshake overhead
  2. Check connection pool settings:
  3. Monitor connection times:

Getting Help

If you’re still experiencing issues:
  1. Collect diagnostic information:
  2. Check application logs:
    • Look for SSL-related error messages
    • Check stack traces for connection failures
  3. Review documentation:
  4. Contact support:
    • Include diagnostic information
    • Provide error messages and logs
    • Describe steps to reproduce

Prevention

To avoid SSL issues:
  1. Validate configuration before deployment
  2. Test SSL connections in staging first
  3. Monitor certificate expiration dates
  4. Use automated certificate rotation
  5. Regular health checks
  6. Keep certificates secure and backed up

Additional Resources