diff --git a/src/connector/src/source/cdc/external/postgres.rs b/src/connector/src/source/cdc/external/postgres.rs
index 7660546af14c..9df4b32e3f5e 100644
--- a/src/connector/src/source/cdc/external/postgres.rs
+++ b/src/connector/src/source/cdc/external/postgres.rs
@@ -20,7 +20,7 @@ use futures::stream::BoxStream;
 use futures::{pin_mut, StreamExt};
 use futures_async_stream::try_stream;
 use itertools::Itertools;
-use openssl::ssl::{SslConnector, SslMethod};
+use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
 use postgres_openssl::MakeTlsConnector;
 use risingwave_common::catalog::Schema;
 use risingwave_common::row::{OwnedRow, Row};
@@ -146,14 +146,20 @@ impl PostgresExternalTableReader {
         let connector = match config.sslmode {
             SslMode::Disable => MaybeMakeTlsConnector::NoTls(NoTls),
             SslMode::Prefer => match SslConnector::builder(SslMethod::tls()) {
-                Ok(builder) => MaybeMakeTlsConnector::Tls(MakeTlsConnector::new(builder.build())),
+                Ok(mut builder) => {
+                    // disable certificate verification for `prefer`
+                    builder.set_verify(SslVerifyMode::NONE);
+                    MaybeMakeTlsConnector::Tls(MakeTlsConnector::new(builder.build()))
+                }
                 Err(e) => {
                     tracing::warn!(error = %e.as_report(), "SSL connector error");
                     MaybeMakeTlsConnector::NoTls(NoTls)
                 }
             },
             SslMode::Require => {
-                let builder = SslConnector::builder(SslMethod::tls())?;
+                let mut builder = SslConnector::builder(SslMethod::tls())?;
+                // disable certificate verification for `require`
+                builder.set_verify(SslVerifyMode::NONE);
                 MaybeMakeTlsConnector::Tls(MakeTlsConnector::new(builder.build()))
             }
         };