Postgresql in Docker with SSL

Prepare Certificates

mkdir ssl
cd ssl

# ----
DOMAIN="postgres"
DAYS=10000
SUBJ='/C=US/L=DB/O=postgres'

openssl genrsa -out ca.key 2048

openssl req -new -x509 -days ${DAYS} \
  -subj "$SUBJ/CN=Root CA" \
  -key ca.key \
  -out ca.crt

openssl req -newkey rsa:2048 -nodes \
  -subj "$SUBJ/CN=*.${DOMAIN}" \
  -keyout ${DOMAIN}.key \
  -out ${DOMAIN}.csr 

openssl x509 -req -days ${DAYS} \
  -extfile <(printf "subjectAltName=DNS:${DOMAIN}") \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -in ${DOMAIN}.csr \
  -out ${DOMAIN}.crt

docker-compose.yaml

href="#__codelineno-1-1">services: postgres: image: postgres:${TAG_POSTGRES} environment: POSTGRES_USER: ${POSTGRES_USER} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} POSTGRES_INITDB_ARGS: "--data-checksums" ports: - "127.0.0.1:5432:5432" volumes: - postgres_data:/var/lib/postgresql/data - ./ssl/postgres.crt:/var/lib/postgresql/server.crt:ro - ./ssl/postgres.key:/var/lib/postgresql/server.key:ro - ./ssl/ca.crt:/var/lib/postgresql/ca.crt:ro command: > postgres -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key -c ssl_ca_file=/var/lib/postgresql/ca.crt >volumes: postgres_data:

.env

TAG_POSTGRES=17-alpine3.21
POSTGRES_USER=postgres
POSTGRES_PASSWORD=password

Checking

SSL:

openssl s_client -showcerts -connect 127.0.0.1:5432

DB connect:

❯ psql "host=localhost port=5432 dbname=postgres user=postgres sslmode=require"
Password for user postgres:
psql (17.5, server 17.6)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.

postgres=#

Checking active connections:

SELECT datname, usename, client_addr, ssl, version AS ssl_version, cipher AS ssl_cipher 
FROM pg_stat_ssl  
JOIN pg_stat_activity ON pg_stat_ssl.pid = pg_stat_activity.pid;