Use SSL Encryption with Postgres Running in Dokku on Ubuntu 20.04

Updated on September 15, 2021
Use SSL Encryption with Postgres Running in Dokku on Ubuntu 20.04 header image


Dokku is a popular container manager that runs multiple Heroku buildpacks or Docker containers in a single instance. This architecture has many benefits, like isolation between different services running under the same host. Running PostgreSQL under Dokku allows for easy upgrades of PostgreSQL and sharing with other containers in the same instance.

This guide explains how to use a free Let's Encrypt SSL certificate to protect a PostgreSQL server running under Dokku on Ubuntu 20.04.


1. Install Dokku

Install the latest version of Dokku on your server.

$ wget
$ sudo DOKKU_TAG=v0.25.4 bash

Set the global domain for the Dokku instance. Replace with your domain name.

$ dokku domains:set-global

2. Install the Dokku PostgreSQL Extension

Install the Dokku PostgreSQL extension.

$ sudo dokku plugin:install postgres

Create a pgdb service on your instance with your preferred version of PostgreSQL. For example, PostgreSQL 13.4.

$ dokku postgres:create pgdb --image postgres --image-version 13.4

Change the postgres user password.

$ dokku postgres:connect pgdb

pgdb=# ALTER USER postgres PASSWORD 'your-new-password';
pgdb=# \q

Expose the PostgreSQL port to allow connections outside the container.

$ dokku postgres:expose pgdb 5432

3. Copy SSL Certificate to PostgreSQL

Create a scheduled task to copy the Let's Encrypt SSL certificate to the PostgreSQL data directory.

Locate the PostgreSQL data directory.

$ dokku postgres:info pgdb | grep "Data dir:"

The default data directory is /var/lib/dokku/services/postgres/pgdb/data.

4. Create a Renewal Hook

Switch to the root user.

$ sudo su

Create a renewal hook script.

# nano /usr/local/sbin/

Paste the following script. Change to your domain.


umask 0177
cp $CERT_DIR/_.$DOMAIN.crt $DATA_DIR/server.crt
cp $CERT_DIR/_.$DOMAIN.key $DATA_DIR/server.key
chmod 600 $DATA_DIR/server.crt $DATA_DIR/server.key

Edit the file /usr/local/sbin/ that you created when following the "Install Wildcard SSL with Lego" instructions in the Prerequisites and add the --run-hook flag, pointing to the file you created above.

After editing, your file will look like:



export VULTR_TTL=300

lego --dns vultr \
    --domains * \
    --domains \
    --email \
    --path="/etc/letsencrypt/" \
    --run-hook="/usr/local/sbin/" \
    --accept-tos renew

Test the script.

# bash /usr/local/sbin/

Restart the PostgreSQL instance.

# postgres:restart pgdb

Exit the root user account.

# exit

5. Test the Connection

Connect to the database from another machine with the PostgreSQL client installed. Replace with your server's domain name.

$ psql -d "dbname=postgres sslmode=require" -h -U postgres

You should see the PostgreSQL prompt.

Password for user postgres:
psql (12.8 (Ubuntu 12.8-0ubuntu0.20.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

Type \Q to exit the PostgreSQL client.

postgres=# \q