It appears that if you set ‘rejectUnauthorized’ to ‘true’ but don’t provide a valid certificate chain then you get this cryptic error from pg. Have you tried creating a self-signed certificate and providing that as both the ‘server’ and ‘root’. Here’s an example from the pg docs: