Hey there! We've found the following might help you get unblocked faster:

• 📚 PostgreSQL

• 🧵 PostgreSQL Database Connection Issues - ECONNRESET Errors

• 🧵 help with pgvector

If you find the answer from one of these, please let us know by solving the thread!

Wondering if you have verified if the actual postgresql.conf file within the pgvector image container has ssl=on uncommented? I checked in one of the more recent pgvector images (tag: pg18-trixie) and it looks like it is commented out as ssl=offby default (documentation: https://www.postgresql.org/docs/8/runtime-config.html#:~:text=default%20is%2060.-,ssl%20(boolean),-Enables%20SSL%20connections) Assuming that you have the certificates required you could do something like postgres -c ssl=on and add your certificates in the same command from within the project settings UI (path: Project>Settings>Deploy>Custom Start Command).

Thanks - your suggestion pointed me in the right direction. I verified that postgresql.conf in pgvector:pg18-trixie has ssl off by default, so I enabled SSL via the startup flags and provided certs at runtime from env. Doing it at launch time avoids editing the file and works cleanly on Railway.

For anyone else on Railway, this is the Custom Start Command that worked:
---------------

# Railway -> Service -> Settings -> Deploy -> Custom Start Command

bash -lc '

set -e

# Do not write into PGDATA before initdb runs

: "${PGDATA:=/var/lib/postgresql/data}"

# Put bootstrap artifacts outside PGDATA

BOOT_DIR="/var/lib/postgresql/pg-bootstrap"

CERT_DIR="/var/lib/postgresql/certs"

mkdir -p "$BOOT_DIR" "$CERT_DIR"

chmod 700 "$BOOT_DIR"

# 1) Ensure there is a superuser password on first boot

if [ -z "${POSTGRES_PASSWORD:-}" ]; then

# Generate a strong random password

GEN_PWD="$(openssl rand -base64 48 | tr -d "\n" | tr "/+" "Aa" | cut -c1-40)"

export POSTGRES_PASSWORD="$GEN_PWD"

# Save once so you can copy it, then delete it later

echo "$GEN_PWD" > "$BOOT_DIR/postgres-password.txt"

chmod 600 "$BOOT_DIR/postgres-password.txt"

echo "[init] Generated POSTGRES_PASSWORD and saved to $BOOT_DIR/postgres-password.txt"

fi

# 2) SSL certs - use provided envs or fall back to self-signed

WROTE_CERTS=false

if [ -n "${SSL_SERVER_CERT_B64:-}" ] && [ -n "${SSL_SERVER_KEY_B64:-}" ]; then

echo "$SSL_SERVER_CERT_B64" | base64 -d > "$CERT_DIR/server.crt"

echo "$SSL_SERVER_KEY_B64" | base64 -d > "$CERT_DIR/server.key"

if [ -n "${SSL_ROOT_CA_B64:-}" ]; then

echo "$SSL_ROOT_CA_B64" | base64 -d > "$CERT_DIR/rootCA.crt"

fi

WROTE_CERTS=true

fi

if [ "$WROTE_CERTS" != "true" ]; then

# Self-signed for dev - clients should use sslmode=require

CN="$(hostname -f || hostname)"

openssl req -x509 -newkey rsa:2048 -nodes -days 365 \

-subj "/CN=${CN}" \

-keyout "$CERT_DIR/server.key" \

-out "$CERT_DIR/server.crt" >/dev/null 2>&1

fi

# Required perms for Postgres

chmod 600 "$CERT_DIR/server.key" || true

chown -R postgres:postgres "$BOOT_DIR" "$CERT_DIR" || true

# 3) Build postgres flags - only pass ssl_ca_file if present

ARGS=( -c ssl=on -c ssl_cert_file="$CERT_DIR/server.crt" -c ssl_key_file="$CERT_DIR/server.key" )

[ -f "$CERT_DIR/rootCA.crt" ] && ARGS+=( -c ssl_ca_file="$CERT_DIR/rootCA.crt" )

# 4) Hand off to the official entrypoint so init scripts still run

exec /usr/local/bin/docker-entrypoint.sh postgres "${ARGS[@]}"

'