Skip to content

[Bug]: SSL certificate generated by Coolify incompatible with PostgreSQL 18 — "no suitable signature algorithm" #8601

@rdlogout

Description

@rdlogout

Error Message and Logs

Describe the bug

When deploying a PostgreSQL 18 database with SSL enabled, the container immediately fails all SSL handshakes with:

could not accept SSL connection: no suitable signature algorithm

PostgreSQL 18 is more strict about SSL certificate algorithms. Coolify generates certificates using ECC secp521r1, which PostgreSQL 18 rejects at the TLS handshake level. The database starts successfully but silently rejects every incoming SSL connection, making it impossible to connect with sslmode=require (e.g. from Cloudflare Hyperdrive).

Clicking "Regenerate SSL Certificates" in the UI does not fix it — it regenerates with the same incompatible algorithm.


Steps To Reproduce

  1. Create a new PostgreSQL database resource in Coolify
  2. Set image to postgres:18-alpine (or any PG18 image)
  3. Enable SSL, set SSL mode to require
  4. Make it publicly available
  5. Attempt to connect with sslmode=require

Expected Behavior

SSL connections succeed.


Actual Behavior

Every SSL connection fails. Postgres logs show:

could not accept SSL connection: no suitable signature algorithm

Workaround

Manually overwrite the cert files on the host with an RSA-SHA256 cert:

openssl req -new -x509 \
    -days 3650 \
    -nodes \
    -newkey rsa:2048 \
    -keyout /data/coolify/databases/<resource-id>/ssl/server.key \
    -out /data/coolify/databases/<resource-id>/ssl/server.crt \
    -subj "/CN=postgres" \
    -sha256

chmod 600 /data/coolify/databases/<resource-id>/ssl/server.key
chmod 644 /data/coolify/databases/<resource-id>/ssl/server.crt
docker restart <container-name>

⚠️ This workaround is overwritten if "Regenerate SSL Certificates" is clicked again in the UI.


Suggested Fix

Switch SSL cert generation from ECC secp521r1 to RSA-2048 + SHA256 for PostgreSQL databases, or detect the PostgreSQL major version and adjust accordingly. PostgreSQL 18 release notes explicitly tighten TLS certificate algorithm requirements.


Environment

   
Coolify Version latest
PostgreSQL Version 18.2 (postgres:18-alpine)
Server OS Ubuntu 24.04
SSL Mode require

Steps to Reproduce

Example Repository URL

No response

Coolify Version

v4.0.0-beta.463

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

No response

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    🔍 TriageIssues that need assessment and prioritization.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions