django.db.utils.OperationalError: server does not support SSL, but SSL was required

[lpellis]

I'm having issues getting it to work on python (django)

heroku buildpacks:add https://github.com/heroku/heroku-buildpack-pgbouncer --index 1
and my procfile
web: bin/start-pgbouncer gunicorn config.wsgi

I also tried
web: bin/start-pgbouncer-stunnel gunicorn config.wsgi

but same issue, setting PGSSLMODE=disable doesnt seem to change anything.

fwiw it seemed to detect it correctly
remote: -----> Deleting 4 files matching .slugignore patterns. remote: -----> pgbouncer app detected remote: Using pgbouncer version: 1.8.1-heroku remote: -----> Fetching and vendoring pgbouncer into slug remote: -----> Moving the configuration generation script into app/bin remote: -----> Moving the start-pgbouncer script into app/bin remote: -----> Moving the (legacy) start-pgbouncer-stunnel script into app/bin remote: -----> Moving the use-pgbouncer script into app/bin remote: -----> pgbouncer done remote: -----> Python app detected remote: Using supported version of Python 3.6 (python-3.6.6)

Any ideas what is the issue here?

[petedermott]

I am also getting this issue, would love to know if there is a fix!

[LtKvasir]

same here

EDIT: After some more research I found a solution that works for me. I needed to remove the automatically added "sslmode: required" from the DB-settings which was possible by adding

del DATABASES['default']['OPTIONS']['sslmode']
after
django_heroku.settings(locals())

Solution was found here: https://github.com/kennethreitz/dj-database-url/issues/107

[mble]

For reference, this is due to that when PgBouncer is running locally on the dyno, it doesn't have TLS enabled for local connections (i.e. client_tls_sslmode is disabled: client_tls_sslmode). When sslmode=required is set, it will enforce the use of TLS, resulting in the incompatibility.

Closing this issue out as the above documents the solution nicely.

[lpellis]

Is this fixed though, or does everyone need to implement the workaround by LtKvasir?

[mble]

@lpellis There is nothing to fix – the buildpack runs PgBouncer locally without client_tls_sslmode enabled, so sslmode=required is not appropriate. This is unfortunately an application config issue.

Many PG drivers default to sslmode=prefer, which will fall back to non-TLS if TLS is not supported, which is why we don't hear about this more often. prefer is a sensible, though not 100% secure, default.

We could call this out in the README more explicitly that the buildpack runs PgBouncer with client_tls_sslmode in its default configuration, which is disabled.

[lpellis]

It would be nice then to maybe mention this solution in the docs, as it is currently the steps outlined in https://devcenter.heroku.com/articles/python-concurrency-and-database-connections will not work if you use dj-database-url

[mble]

Sure, thanks for the feedback. It's tricky to cover all possible combinations of use cases, especially when community buildpacks are involved.

[ssandeep]

Thanks @LtKvasir

I was getting this error only when I tried running heroku local, so just added an env check:

# add ENV=development in the .env file for the below to work:
if os.environ.get('ENV') == 'development':
    del DATABASES['default']['OPTIONS']['sslmode']

[matheusDataType]

I had the same error, and just deleted PGSSLMODE.

[FedericoCapaldo]

Thanks @LtKvasir

I was getting this error only when I tried running heroku local, so just added an env check:

# add ENV=development in the .env file for the below to work:
if os.environ.get('ENV') == 'development':
    del DATABASES['default']['OPTIONS']['sslmode']

This is a proper answer.