Hey everyone, I had this issue creating a new Elixir app and launching with fly launch, took me a while to troubleshoot, and I’m posting in case someone has that issue as well:
SSL certificate decode errors when connecting to Fly Postgres using Elixir 1.19.3 (released Nov 13, 2025 - just 2 days ago) with OTP 28.1.1.
** (DBConnection.ConnectionError) ssl connect: TLS client: In state wait_cert at tls_handshake_1_3.erl:841 generated CLIENT ALERT: Fatal - Certificate Unknown
{failed_to_decode_certificate,
{{‘Type not compatible with table constraint’,{error,{asn1,bad_range}}},
[{‘OTP-PKIX’,dec_OTPRelativeDistinguishedName_SingleAttribute,2,…}]}}
Workaround
For internal Fly Postgres connections, disabling SSL works, and it should be safe since WireGuard already encrypts traffic on Fly’s private network (6PN).
# config/runtime.exs
config :myapp, MyApp.Repo,
url: database_url,
ssl: false,
socket_options: maybe_ipv6
Question to the Fly team:
Is this a known incompatibility between OTP 28’s stricter certificate validation and Fly’s Postgres SSL certificates? Should this be documented, or do Fly’s certificates need updating for compatibility with the latest OTP release?
My environment:
- Elixir 1.19.3 (Nov 13, 2025)
- OTP 28.1.1
- Phoenix 1.8
- Fly Postgres (internal connection)
Thanks!