Skip to content

Fix: Handle self-signed certificates in PostgreSQL SSL connections #1121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Fix: Handle self-signed certificates in PostgreSQL SSL connections #1121

wants to merge 7 commits into from

Conversation

scrobot
Copy link

@scrobot scrobot commented Mar 28, 2025

Fix: Handle self-signed certificates in PostgreSQL SSL connections

Problem

When connecting to PostgreSQL databases with SSL enabled (particularly AWS RDS instances), the MCP server fails with the error:

MCP error -32603: self-signed certificate in certificate chain

This issue occurs because AWS RDS uses SSL certificates that may not be in the default trusted certificate store, and the node-postgres library fails to validate the certificate chain.

Solution

This PR implements a flexible solution for handling SSL connections in the PostgreSQL MCP server:

  1. Conditional SSL Configuration: SSL settings are only applied when needed, based on the connection string parameters (sslmode=require, prefer, verify-ca, or verify-full).

  2. Configurable Certificate Validation: Added support for the rejectUnauthorized parameter in the connection string to control certificate validation:

    • rejectUnauthorized=false: Disables certificate validation (needed for AWS RDS with self-signed certs)
    • rejectUnauthorized=true: Enforces certificate validation (default for security)

  3. Improved Client Connections: Individual client connections now properly inherit SSL settings from the connection string.

Usage Examples

  1. For AWS RDS with self-signed certificates:
postgresql://username:password@host:port/dbname?sslmode=require&rejectUnauthorized=false
  1. For secure connections with certificate validation:
postgresql://username:password@host:port/dbname?sslmode=require&rejectUnauthorized=true
  1. For non-SSL connections:
postgresql://username:password@host:port/dbname

Related Issues

Fixes #1047

@olaservo olaservo added server-postgres bug Something isn't working labels Mar 30, 2025
@olaservo
Copy link
Member

Thanks for contributing this PR. This server has been moved to the archived repository at https://github.com/modelcontextprotocol/servers-archived to reduce maintenance overhead, so we can focus our efforts on a smaller set of core servers.
Since we're no longer accepting contributions to this server, we won't be able to merge this PR. If you're interested in contributing similar functionality, we recommend checking out the alternatives listed in the Readme.

@olaservo olaservo closed this May 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Postgresql server, code -32601
2 participants
@scrobot @olaservo