PostgreSQL error: no pg_hba.conf entry for host
FATAL: no pg_hba.conf entry for host "10.0.0.23", user "app_user", database "appdb", SSL encryption
Good news first: the network path works and you reached PostgreSQL. It refused you because no line in pg_hba.conf matches the combination in the message: client address, database, user, and whether the connection uses SSL. The error hands you all four — the fix is writing a rule that matches them.
What this error means
pg_hba.conf is evaluated top to bottom, first match wins — and a connection that matches no line gets this error. Each line matches on connection type (local, host, hostssl, hostnossl), database, user and client address, then names the auth method to apply.
The tail of the message ("SSL encryption" / "no encryption") matters more than it looks: a hostssl line can never match a non-SSL attempt, and vice versa. If the message says "no encryption" and all your rules say hostssl, the fix is on the client (sslmode=require), not in the file.
Common causes
- Client address outside every CIDR in the file — typical when an app moves subnet, or the first remote client appears against a default localhost-only configuration.
- SSL mismatch between the client's attempt and
hostssl/hostnosslrules. - Rules scoped to other databases or users than the ones you're connecting with.
- The file was edited but never reloaded — pg_hba changes take effect only on reload.
How to diagnose it
Take the four values from the error message and walk the rules with them:
-- La vista mostra le regole così come il server le ha lette,
-- con eventuali errori di parsing per riga:
SELECT line_number, type, database, user_name, address, auth_method, error
FROM pg_hba_file_rules;
Check, in order: is there a line whose connection type matches (SSL!)? whose database list includes yours? whose user list includes yours? whose address contains the client IP in the message?
How to fix it
Add a rule as narrow as the real need, then reload:
# /etc/postgresql/.../pg_hba.conf — esempio: app dal subnet privato, SSL, SCRAM
hostssl appdb app_user 10.0.0.0/24 scram-sha-256
SELECT pg_reload_conf(); -- oppure: systemctl reload postgresql
- Resist
host all all 0.0.0.0/0— scope by database, user and CIDR. And nevertruston network connections. - If the mismatch is SSL, set
sslmode=require(or stronger) in the client connection string instead of weakening the server rules.
