no pg_hba.conf entry for host “…”, user “…”, database “…”, SSL off

SQLSTATE 28000 condition invalid_authorization_specification class 28 — Invalid Authorization Specification severity FATAL

Reproduced & verified on PostgreSQL 14.23, 15.18, 16.14, 17.10 and 18.4 — identical message on every version.

Last reviewed 30 May 2025 · Reproduced live with the SQL on this page.

Symptoms

A client tried to connect but no line in pg_hba.conf matched its host, user, database, and SSL state. PostgreSQL refuses the connection with SQLSTATE 28000 (invalid_authorization_specification).

The message echoes the host IP, role, database, and whether SSL was used.
“SSL off” means an entry might exist only for hostssl.
Very common right after deploying from a new network or IP range.

What the server log shows

FATAL:  no pg_hba.conf entry for host "203.0.113.5", user "app", database "orders", SSL off

Why PostgreSQL raises this — what the manual says

As Section 20.1 The pg_hba.conf File explains:

No line in pg_hba.conf matched the combination of connecting host, requested database, role, and connection type (SSL on/off), so the connection was rejected; add or adjust a matching entry and reload the configuration.

On connect, PostgreSQL scans pg_hba.conf top-to-bottom for a row matching the connection type, client address, requested database, and role. If none matches, the connection is rejected with 28000 before authentication even runs.

Common causes

The client IP/CIDR is not covered by any host line.
The role or database name is not allowed by matching lines.
Only hostssl entries exist but the client connected without SSL (“SSL off”).

How to fix it

Add an appropriate line to pg_hba.conf (host, db, user, CIDR, auth method), then reload.
Reload config: SELECT pg_reload_conf(); (no restart needed).
If you require encryption, connect with sslmode=require to match a hostssl rule.

Related & next steps

Reference: PostgreSQL 18 Section 20.1 “The pg_hba.conf File”.