Hm… I tried an abbreviated version with a throwaway database and IPv6—and unexpectedly also saw errors:
$ fly pg create --name minoan-saffron --initial-cluster-size 1 \
--region ams --volume-size 1 --vm-size shared-cpu-1x
$ fly ips allocate-v6 -a minoan-saffron
$ fly ssh console -a different-app
# psql 'postgres://postgres:<right-password>@minoan-saffron.fly.dev:5432/?sslmode=require'
psql: error: SSL SYSCALL error: EOF detected
# psql 'postgres://postgres:<intentionally-wrong-password>@minoan-saffron.fly.dev:5432/?sslmode=disable'
psql: error: FATAL: password authentication failed for user "postgres"
# # ...and the pg machine's logs *do* show 'password
# # authentication failed for user "postgres"'.
# exit
$ fly config show -a minoan-saffron
.
.
.
"services": [
{
"protocol": "tcp",
"internal_port": 5432,
"auto_start_machines": false,
"ports": [
{
"port": 5432,
"handlers": [
"pg_tls"
]
}
],
.
.
.
$ fly services list -a minoan-saffron
Services
PROTOCOL PORTS HANDLERS FORCE HTTPS PROCESS GROUP REGIONS MACHINES
TCP 5432 => 5432 [PG_TLS] False ams 1
TCP 5433 => 5433 [PG_TLS] False ams 1
This admittedly isn’t the verbatim procedure given in the docs, 
, but the PG app does already have the pg_tls services, at the right ports.
Possibly this is the Fly edge proxy not liking the “hairpin” aspect… I don’t recall that being mentioned with anything other than UDP before, though…