Problem

Que workers failed to start with SSL-enabled PostgreSQL connections. The DATABASE_SSL_MODE, DATABASE_SSL_CA, DATABASE_SSL_CERT, and DATABASE_SSL_KEY environment variables were read by Rails' database.yml but not passed to Que's Locker, which creates a dedicated connection for PostgreSQL LISTEN/NOTIFY. This caused the error: "connection requires a valid client certificate".

The practical effect of this is Que, and therefore zync itself, can't connect to any mTLS protected DB, or even regular TLS protected DB as long as it requires reading any of the env variables above. Connecting to a TLS protected DB using a certificate installed in the OS is the only scenario currently supported.

Solution

Modify lib/tasks/que.rake to build a complete PostgreSQL connection URL from Rails database configuration (including all SSL parameters from database.yml) and pass it to the que executable via the --connection-url flag. This ensures both the Locker's dedicated connection and worker connections use proper SSL configuration.