The sslrootcert=system option on connection strings passed to psql is broken:

/Applications/Postgres.app/Contents/Versions/latest/bin/psql 'postgresql://user:[email protected]/db?sslrootcert=system'

psql: error: connection to server at "host.tld" (2600:...), port 5432 failed: SSL error: certificate verify failed: unable to get local issuer certificate

This is a great shame, since it blocks wider adoption of this helpful security feature.

To reproduce the issue, simply install Postgres.app on macOS Sequoia (15.2) and point psql at a free Neon database, having swapped sslmode=require for sslrootcert=system on the end of the connection string.

I haven't figured out why it's broken, but I do have a list of some installations that are and that aren't: https://gist.github.com/jawj/57bc9d1f350ffd5250942cf24957b3a7