Error: failed to configure TLS (unable to add CA to cert pool)

[nemirlev]

Describe the bug
When setting sslmode=disable in the connection string, I still encounter an error related to TLS configuration. I am using PostgreSQL 16 with the standard Docker image. The error message is:

"Unable to parse config: cannot parse host=localhost port=5432 dbname=postgres user=postgres password=xxxxx target_session_attrs=read-write sslmode=disable: failed to configure TLS (unable to add CA to cert pool)"

Despite explicitly setting sslmode=disable in the connection string, the error persists.

To Reproduce

package main

import (
	"context"
	"fmt"
	"github.com/jackc/pgx/v5"
	"os"
)

const (
	host     = "localhost"
	port     = 5432
	user     = "postgres"
	password = "postgres"
	dbname   = "postgres"
)

func main() {

	connstring := fmt.Sprintf(
		"host=%s port=%d dbname=%s user=%s password=%s target_session_attrs=read-write sslmode=disable",
		host, port, dbname, user, password)

	connConfig, err := pgx.ParseConfig(connstring)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Unable to parse config: %v\n", err)
		os.Exit(1)
	}

	conn, err := pgx.ConnectConfig(context.Background(), connConfig)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Unable to connect to database: %v\n", err)
		os.Exit(1)
	}

	defer conn.Close(context.Background())

	var version string

	err = conn.QueryRow(context.Background(), "select version()").Scan(&version)
	if err != nil {
		fmt.Fprintf(os.Stderr, "QueryRow failed: %v\n", err)
		os.Exit(1)
	}

	fmt.Println(version)
}

services:
  postgres:
    image: postgres:16
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: postgres
    ports:
        - "5432:5432"
    volumes:
      - bd_data:/var/lib/postgresql/data

  redis:
    image: redis:latest
    ports:
      - "6379:6379"
  migrate:
    image: migrate/migrate
    volumes:
      - ./migrations:/migrations
    depends_on:
      - postgres
    command: ["-path", "/migrations", "-database", "postgresql://postgres:postgres@postgres:5432/postgres?sslmode=disable", "up"]
volumes:
    bd_data:
    redis_data:

Please run your example with the race detector enabled. For example, go run -race main.go or go test -race.

go run -race connect.go
Unable to parse config: cannot parse `host=localhost port=5432 dbname=postgres user=postgres password=xxxxx target_session_attrs=read-write sslmode=disable`: failed to configure TLS (unable to add CA to cert pool)
exit status 1

Expected behavior
The connection should be established without attempting to configure TLS when sslmode=disable is set.

Actual behavior
The connection attempt fails with the error: "failed to configure TLS (unable to add CA to cert pool)".

Version

• Go: go1.23.1 darwin/arm64
• PostgreSQL: PostgreSQL 16.3 (Debian 16.3-1.pgdg120+1) on aarch64-unknown-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
• pgx: github.com/jackc/pgx/v5 v5.7.1

[jackc]

I ran your example.

jack@glados ~/dev/pgx_issues/pgx-2132 ±master⚡ » go run .
PostgreSQL 16.3 (Homebrew) on aarch64-apple-darwin23.4.0, compiled by Apple clang version 15.0.0 (clang-1500.3.9.4), 64-bit

It works for me. Maybe there is something in the environment?

[nemirlev]

This is very strange, I have used the library before and had no issues. After your message, I created a separate, new project to definitively avoid any possible side effects, but it still doesn't work.

[jackc]

I would suggest printing out the environment from within your program and seeing if there is anything unexpected, especially PG* variables.

If that doesn't yield anything, I don't know anything else to try besides stepping through with a debugger.

[exgao]

Hi @nemirlev,
Can you try explicitly setting sslrootcert to '' and seeing if it helps? I ran into the same issue so I compared the code from the two minor versions. It seems like if you have a path set for sslrootcert, it will validate the cert directory even if sslmode=disable is set.

Side note: I know you haven't explicitly set sslrootcert in your code here, but it's possible that it's picking up a default value from somewhere (snippet of the default logic provided below)

		sslrootcert := filepath.Join(user.HomeDir, ".postgresql", "root.crt")
		if _, err := os.Stat(sslrootcert); err == nil {
			settings["sslrootcert"] = sslrootcert
		}

[nemirlev]

@exgao Thank you for your comment, it really helped solve the problem. In my code, sslrootcert was not explicitly set anywhere, and I even tried running a blank project to ensure that no dependencies were affecting it. Your advice to set sslrootcert='' resolved the issue. I appreciate your help!

package main

import (
	"context"
	"fmt"
	"github.com/jackc/pgx/v5"
	"os"
)

const (
	host     = "localhost"
	port     = 5432
	user     = "postgres"
	password = "postgres"
	dbname   = "postgres"
)

func main() {

	connstring := fmt.Sprintf(
		"host=%s port=%d dbname=%s user=%s password=%s target_session_attrs=read-write sslmode=disable sslrootcert=''",
		host, port, dbname, user, password)

	connConfig, err := pgx.ParseConfig(connstring)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Unable to parse config: %v\n", err)
		os.Exit(1)
	}

	conn, err := pgx.ConnectConfig(context.Background(), connConfig)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Unable to connect to database: %v\n", err)
		os.Exit(1)
	}

	defer conn.Close(context.Background())

	var version string

	err = conn.QueryRow(context.Background(), "select version()").Scan(&version)
	if err != nil {
		fmt.Fprintf(os.Stderr, "QueryRow failed: %v\n", err)
		os.Exit(1)
	}

	fmt.Println(version)
}