Self hosted retool is failing to start using Aurora Postgres DB

Self hosted retool is failing to start using Aurora Postgres DB. It works fine if the postgres is running on a sidecar. But after switching to Aurora DB, it exiting with an error. I am able to connect to the DB manually from the retool pod though.

setsid su retool_user -c /retool_backend/docker_scripts/
root@retool-gql--nonprod-xxx-aws-staging-use1-0:/retool_backend# not untarring the bundle
sed: can't read ./dist/mobile/*.js: No such file or directory
{"level":"info","message":"[process service types] DB_CONNECTOR, DB_SSH_CONNECTOR, MAIN_BACKEND, JOBS_RUNNER, WORKFLOW_WORKER","timestamp":"2024-02-27T21:29:05.100Z"}
Failing checking database migrations

-     EXITING RETOOL      -

Error running database migrations: SequelizeConnectionError: no pg_hba.conf entry for host "10.XXX.XX.XXX", user "admin_user", database "retooldb", no encryption

Are there any environment variables to be set for external DB connections?

1 Like

Hi there @girishsu! Looking at these AWS Aurora security docs, they note that a no pg_hba.conf entry for host error will occur if your cluster has rds.force_ssl enabled and a client is attempting to connect without using SSL.

Can you try setting the following environment variables on your deployment:


The Retool Docker images includes the AWS certificate bundle built-in.

Thanks @shawntax. Tried setting the postgres env variables.

Now I see - Error running database migrations: SequelizeConnectionError: unable to get local issuer certificate

I am using tryretool/backend:3.28.4

Retool team, Any updates on this issue? We wan't to address this ASAP or we have to roll back the changes.


Similar issue

Setting ENV POSTGRES_SSL_REJECT_UNAUTHORIZED=false in the Dockerfile resolved the issue. was the resolution provided. Is this recommended?

cc: @victoria

@girishsu hmm, first can you try adding the following environment variable as well:


This attempts to explicitly tell the Node process running Retool to add the AWS cert bundle we provide to it's known certs.

If that doesn't work, then it's worth trying to set POSTGRES_SSL_REJECT_UNAUTHORIZED=false

Thanks. This setting worked for me. I didn't try NODE_EXTRA_CA_CERTS.