Postgresql SSL connection with custom certificates

Describe the problem/error/question

I’m using self-hosted n8n and trying to connect to AWS RDS Postgreql database. As described in AWS documentation, custom CA certificates need to be downloaded and loaded in order to establish a secure connection with the database.

I’ve also tried copying the custom certificates into the /opt/custom-certificates directory according to n8n documentation but this has not helped with the certificate errors I am facing.

Note #1: When enabling Ignore SSL Issues (Insecure) my connection is successful, but I would like to avoid using this insecure setting.

Note #2: Adding chown -R 1000:1000 /opt/custom-certificates also did not improve the situation:

docker exec --user 0 n8n chown -R 1000:1000 /opt/custom-certificates
docker exec --user 0 n8n ls -l /opt
total 4
drwxr-xr-x    3 node     node            96 Apr 21 21:57 custom-certificates

What is the error message (if any)?

The error I receive when testing the postgreql connection is:

Error: self-signed certificate in certificate chain 

Please share your workflow

N/A, this problem applies to setting up the postgreql connection in the Credentials section

Information on your n8n setup

• n8n version: 1.89.1
• Database (default: SQLite): SQLite (trying to migrate to AWS RDS Postgresql)
• n8n EXECUTIONS_PROCESS setting (default: own, main):
• Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
• Operating system: Ubuntu

See if any of the stuff in this post helps.

Thanks for the link! I followed the steps listed in that post to split out the 3 certificates into separate files, but still no luck.

My new /opt/custom-certificates directory looks like this:

docker exec -it n8n ls -la /opt/custom-certificates
total 16
drwxr-xr-x    5 node     node           160 Apr 22 23:43 .
drwxr-xr-x    1 root     root          4096 Apr 22 16:33 ..
-rw-r--r--    1 node     node          1448 Apr 22 23:41 us-east-1-cert1.pem
-rw-r--r--    1 node     node          2139 Apr 22 23:41 us-east-1-cert2.pem
-rw-r--r--    1 node     node           989 Apr 22 23:41 us-east-1-cert3.pem

Notably, there are no symlinks as mentioned by the other post. I also do not see any messages during startup related to certificates (neither “Trusting custom certificates from /opt/custom-certificates” nor " WARNING: mycertchain.pem does not contain exactly one certificate or crl: skipping").

I’ve found the issue by checking the n8n source code, we are setting an entrypoint script in our Dockerfile, which we did not realize is overriding the default n8n entrypoint script which loads the custom certificates.

My temporary workaround is to copy/paste the logic in the default script to the bottom of my own custom entrypoint script, but I will continue to investigate a better long-term solution. (Note: we are using the custom script for a scrappy CI/CD style deployment of workflows from source-code by importing them from JSON files, likely there’s a better way to do this)

FWIW, we had to do the same in kubernetes because the certificates directory is mounted to a config-map volume, which cannot be modified at runtime, so the symlink files must be created ahead of time (as actual copies of the certificates), manually, using the c_rehash command to generate the filenames, and the call to c_rehash in the startup script must be removed.

Also, since you’ve already overriddendocker-entrypoint.sh, it won’t affect you, but for others who end up reading this thread, there was (is) a bug in the script affecting installs where both NODE_OPTIONS and certificates are used. The bug was fixed very recently - March 10, 2025 (released with n8n version 1.83.0).

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.