Use TimescaleSecurity

Connect with a stricter SSL mode

The default connection string for Timescale uses the SSL mode require. If you want your connection client to verify the server's identity, you can connect with an SSL mode of verify-ca or verify-full. To do so, you need to store a copy of the certificate chain where your connection tool can find it.

This section provides instructions for setting up a stricter SSL connection.

SSL certificates

All connections to Timescale are encrypted. As part of the secure connection protocol, the server proves its identity by providing clients with a certificate. This certificate should be issued and signed by a well-known and trusted Certificate Authority.

Because requesting a certificate from a Certificate Authority takes some time, Timescale databases are initialized with a self-signed certificate. This lets you start up a database immediately. After your service is started, a signed certificate is requested behind the scenes. The new certificate is usually received within 30 minutes. Your database certificate is then replaced with almost no interruption. Connections are reset, and most clients reconnect automatically.

With the signed certificate, you can switch your connections to a stricter SSL mode, such as verify-ca or verify-full.

For more information on the different SSL modes, see the PostgreSQL SSL mode descriptions.

Connect to your database with a stricter SSL mode

To set up a stricter SSL connection:

  1. Generate a copy of your certificate chain and store it in the right location
  2. Change your Timescale connection string

Connecting to your database with a stricter SSL mode

  1. Use the openssl tool to connect to your Timescale service and get the certificate bundle. Store the bundle in a file called bundle.crt.

    Replace $SERVICE_URL_WITH_PORT with your Timescale connection URL:

    openssl s_client -showcerts -partial_chain -starttls postgres \
                 -connect $SERVICE_URL_WITH_PORT < /dev/null 2>/dev/null | \
                 awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ print }' > bundle.crt

  2. Copy the bundle to your clipboard:

    pbcopy < bundle.crt

  3. Navigate to https://whatsmychaincert.com/. This online tool generates a full certificate chain, including the root CA certificate, which is not included in the certificate bundle returned by the database.

  4. Paste your certificate bundle in the provided box. Check Include Root Certificate. Click Generate Chain.

  5. Save the downloaded certificate chain to ~/.postgresql/root.crt.

  6. Change your Timescale connection string from sslmode=require to either sslmode=verify-full or sslmode=verify-ca. For example, to connect to your database with psql, run:

    psql "postgres://tsdbadmin@$SERVICE_URL_WITH_PORT/tsdb?sslmode=verify-full"

Verify certificate type used by your database

To check whether the certificate has been replaced yet, connect to your database instance and inspect the returned certificate:

openssl s_client -showcerts -partial_chain -starttls postgres -connect <HOST>:<PORT> < /dev/null 2>/dev/null  | grep "ZeroSSL"

Keywords

securityTimescale

Found an issue on this page?

Report an issue!
PreviousRead only roleNextTimescale limitations

Related Content

Security
Learn how your Timescale instance is secured
Timescale security
Get an overview of security on Timescale
Multi-factor user authentication
Manage Multi-factor user authentication for your Timescale account
Virtual Private Cloud
Use VPC peering to secure your Timescale database
Members
User management for your Timescale project
Alerting
Set up alerting with Timescale