northerncoder.ca

Front end web development, and tech projects

You are here: Home / News / How to Enable TLS for Postgres in Dokploy (Step-by-Step)

How to Enable TLS for Postgres in Dokploy (Step-by-Step)

Adding TLS encryption to your Postgres database in Dokploy ensures secure connections for both production and development. Here’s how I managed it using volumes in Dokploy:

1. Generate a Certificate Authority (CA)

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/CN=MyLocalCA"

2. Generate a Server Certificate Signed by Your CA

Create a config file server-cert.conf with your hostnames/IPs::

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
CN = st-api.viewly.net

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = st-api.yourdomain.net
DNS.2 = st.yourdomain.net
DNS.3 = localhost
IP.1 = 127.0.0.1
IP.2 = 192.168.200.149
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
CN = st-api.yourdomain.net

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = st-api.yourdomain.net
DNS.2 = st.yourdomain.net
DNS.3 = localhost
IP.1 = 127.0.0.1
IP.2 = 192.168.100.123


Then run:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config server-cert.conf
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server-cert.conf -extensions req_ext

3. Prepare the Docker Volume
Start a temporary container to access the Dokploy volume:

docker run --rm -it -v pg-ssl-certs:/data busybox sh

In another terminal, copy your certs into the running container:

docker cp server.crt <container_id>:/data/server.crt
docker cp server.key <container_id>:/data/server.key

Inside the busybox shell, set permissions:

chmod 600 /data/server.key

In Dokploy, mount the pg-ssl-certs volume to /etc/postgres/ssl in your Postgres app.

Mount the Volume in Dokploy
In Dokploy, mount the pg-ssl-certs volume to /etc/postgres/ssl in your Postgres app.

Set the Postgres Command in Dokploy
In the “Command” field:

docker-entrypoint.sh postgres -c ssl=on -c ssl_cert_file=/etc/postgres/ssl/server.crt -c ssl_key_file=/etc/postgres/ssl/server.key

6. Redeploy Postgres
Redeploy your Postgres app in Dokploy.

7. Test SSL

Connect with psql:

psql "host=YOUR_DB_HOST user=YOURUSER dbname=YOURDB sslmode=require"

in psql:

SHOW ssl;

You now have a secure, TLS-enabled Postgres instance running in Dokploy.