Since Postgres 16, thesslrootcert=system connection parameter turns onsslmode=verify-full and instructspsql to use the system CA cert store. This is a lot more secure thansslmode=require and works very nicely for people with Postgres providers who use public CAs to secure their databases.

Unfortunately,sslrootcert=system currently doesn't work on thepsql binaries shipped in these Docker images:

# psql 'postgresql://user:pass@ep-broad-dew-xyz.us-east-2.aws.neon.tech/neondb?sslrootcert=system'psql: error: connection to server at "ep-broad-dew-xyz.us-east-2.aws.neon.tech" (3.x.x.x), port 5432 failed: SSL error: certificate verify failed

Fortunately, the fix is simple:apt-get update && apt-get install ca-certificates does the trick. It's also simple to test the fix using a free-tier Neon DB.

Would you be able to update all images from 16.x up to come with theca-certificates package installed, to make this work?

I'm maintaining a list ofpsql distributions that do and don't work here:https://gist.github.com/jawj/57bc9d1f350ffd5250942cf24957b3a7