TLS error with self-hosted database despite sslmode=disable (CLI 2.75.0) - regression of #4288 #4839
Description
Describe the bug
I'm experiencing a TLS connection error when using supabase db push and other supabase commands with a self-hosted Supabase instance, despite specifying sslmode=disable in the connection string. This appears to be a regression of the issue reported in #4288, which was marked as resolved.
When running database commands without the --debug flag, the CLI fails with:
failed to connect to postgres: failed to connect to `host=<my database's local ip> user=supabase_admin database=postgres`: tls error (server refused TLS connection)
However, the exact same command succeeds when the --debug flag is added.
To Reproduce
Steps to reproduce the behavior:
-
Set up a self-hosted Supabase instance with PostgreSQL exposed directly (not through Supavisor)
-
Run the following command:
supabase db push --db-url "postgresql://supabase_admin:<password>@<ip>:5433/postgres?sslmode=disable"
-
Observe the TLS error
-
Run the same command with --debug:
supabase db push --db-url "postgresql://supabase_admin:password@<ip>:5433/postgres?sslmode=disable" --debug
- Observe that it succeeds
Expected behavior
The command should respect the sslmode=disable parameter and connect successfully without requiring the --debug flag.
Actual Behavior
- Without
--debug: Fails with "tls error (server refused TLS connection)" - With
--debug: Works perfectly, connects and applies migrations successfully
The CLI appears to ignore the sslmode=disable parameter unless the --debug flag is present
Screenshots
NA
System information
Rerun the failing command with --create-ticket flag.
- Ticket ID: 1c217e156c264a7985ed08b5a76f06d9
- Version of OS: Windows 11 Pro (Build 26220)
- Version of CLI: 2.75.0 (installed with scoop)
- Version of Docker: 29.1.3, build f52814d
- Versions of services:
SERVICE IMAGE | LOCAL | LINKED
------------------------|------------------------|--------
supabase/postgres | 15.8.1.085 | -
supabase/gotrue | v2.186.0 | -
postgrest/postgrest | v14.3 | -
supabase/realtime | v2.73.2 | -
supabase/storage-api | v1.35.3 | -
supabase/edge-runtime | v1.70.0 | -
supabase/studio | 2026.01.27-sha-2a37755 | -
supabase/postgres-meta | v0.95.2 | -
supabase/logflare | 1.30.5 | -
supabase/supavisor | 2.7.4 | -
Additional context
Supabase commands that require Docker container seem to work with no tls errors, such as: supabase db dump --db-url "connection-string" and supabase db diff --db-url "connection-string"
Below information is true, but not likely relevant--figured out I made the ssl-on change in docker-compose.yml after the bug manifested itself.
UPDATE: Configuration Detail that might be relevant:
My PostgreSQL server has ssl=on (SSL enabled/available), but is configured to accept bothSSL and non-SSL connections.
I'm connecting from the local network without SSL using sslmode=disable in the connection string. This works perfectly with psql and Docker-based Supabase commands, confirming the server accepts non-SSL connections.
PostgreSQL Configuration:
- ssl = on (in postgresql.conf or docker-compose environment)
- No ssl_mode = require (allows non-SSL connections)
Network Setup:
- SSL URL exists for internet access via reverse proxy
- Local LAN connections should use non-SSL
- Connecting directly to PostgreSQL port (5433), not through proxy