P
Prisma9h ago
riddler

Prisma 7 - Error opening TLS connection (cockroachdb)

I migrated from Prisma 6 to Prisma 7. And i am facing client connection related error. 
Error opening a TLS connection: unable to verify the first certificate
Error opening a TLS connection: unable to verify the first certificate
Database: cockroachdb docker compose file 
cockroachdb:
    image: cockroachdb/cockroach:v25.3.3
    command: >
      start-single-node
      --certs-dir=/cockroach/certs
    ports:
      - "26257:26257"
    volumes:
      - roach-single:/cockroach/cockroach-data
      - roach-certs:/cockroach/certs
    environment:
      # if prior volumes already exist, these will have no effect
      - COCKROACH_DATABASE=ufc
      - COCKROACH_USER=john
      - COCKROACH_PASSWORD=pork
volumns:
  roach-single:
  roach-certs:
cockroachdb:
    image: cockroachdb/cockroach:v25.3.3
    command: >
      start-single-node
      --certs-dir=/cockroach/certs
    ports:
      - "26257:26257"
    volumes:
      - roach-single:/cockroach/cockroach-data
      - roach-certs:/cockroach/certs
    environment:
      # if prior volumes already exist, these will have no effect
      - COCKROACH_DATABASE=ufc
      - COCKROACH_USER=john
      - COCKROACH_PASSWORD=pork
volumns:
  roach-single:
  roach-certs:
.env file at root 
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=verify-full
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=verify-full
prisma client configuration 
import { PrismaPg } from '@prisma/adapter-pg'
import { env } from '@/data/env'
import { PrismaClient } from '@/generated/prisma/client'

const globalForPrisma = globalThis as unknown as { prisma: PrismaClient }

export const prisma =
  globalForPrisma.prisma ||
  new PrismaClient({
    log: ['query', 'info', 'error', 'warn'],
    adapter: new PrismaPg({ connectionString: env.DATABASE_URL }),
  })

if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma
import { PrismaPg } from '@prisma/adapter-pg'
import { env } from '@/data/env'
import { PrismaClient } from '@/generated/prisma/client'

const globalForPrisma = globalThis as unknown as { prisma: PrismaClient }

export const prisma =
  globalForPrisma.prisma ||
  new PrismaClient({
    log: ['query', 'info', 'error', 'warn'],
    adapter: new PrismaPg({ connectionString: env.DATABASE_URL }),
  })

if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma
1 Reply
Prisma AI Help
Prisma AI Help9h ago
You chose to compile with the bot. One moment while I piece together your answer… The error means Prisma (via node-postgres / PrismaPg) does not trust CockroachDB’s self‑signed cert. With Prisma 7 / adapters you now need to either: 1. Disable strict verification for local/self‑signed setups For PostgreSQL‑compatible databases you can relax verification via the connection string: 
# for local dev / self-signed only
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=no-verify
# for local dev / self-signed only
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=no-verify
sslmode=no-verify keeps TLS encryption but skips certificate verification, similar to sslaccept=accept_invalid_certs / older behavior. [PostgreSQL SSL; RDS adapter answer] This is also the recommended workaround for self‑signed cert issues when using the driver adapters. [DEPTH_ZERO issue; SSL errors after adapters] 2. Use full verification with a trusted CA (more secure) If you want to keep sslmode=verify-full, you must provide the CA/root cert via sslrootcert (same idea as with Cockroach Cloud / Supabase): 
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=verify-full&sslrootcert=./certs/ca.crt
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=verify-full&sslrootcert=./certs/ca.crt
sslrootcert must point to the Cockroach cluster’s CA certificate file (path is resolved relative to ./prisma). [PostgreSQL SSL; verify-full + sslrootcert] --- Summary for your setup For a local Docker Cockroach node with self‑signed certs, simplest is: 
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=no-verify
DATABASE_URL=postgresql://aseer:password@localhost:26257/althire?sslmode=no-verify
If you later move to Cockroach Cloud or production with proper TLS, switch back to sslmode=verify-full and include sslrootcert. ✅ Great, thanks for letting us know that this solved your question!

Did you find this page helpful?