Unable to read custom certs for SSL postgres when in docker

[AMarti96]

When trying to connect an Unleash self-hoster instance towards a Postgres DB that uses self-signed certs, I am getting the following error

Failed to migrate db OperationalError: self signed certificate in certificate chain

Following some other issues like this one and checking the docs in here along with the environment variables supported by Unleash, documented here I know I can do the following to totally disabling checking for certificates and allowing self-signed certs:

DATABASE_SSL="{ \"rejectUnauthorized\": false}"

But this has a problem about the certificate not being verified, which is not ideal. I would like our certificate to be verified, and for that it seems I should be able to pass it in the ca object as part of the DATABASE_SSL variable, like this

DATABASE_SSL="{ \"rejectUnauthorized\": true, \"ca\": \"fs.readFileSync('/path/to/cert.crt').toString()\" }"

but this configuration does not seem to be valid in Unleash, it just gets ignored and I still get the error about the self signed certificate in certificate chain

I also tried using other node-specific variables like NODE_EXTRA_CA_CERTS but the result was the same

Finally, there is no way to have the certificate signed by a trusted CA (the Postgres instance is not controlled by me, and they just provide the certificate, so you can at least add it to your known certificates)

[ivarconr]

Hi thanks for reporting,

First 'fs.readFileSync' will simply not work, you would need to set the actual text-content of the file, you can't instruct it to read the content from a file.
(Maybe we should support that in the future).

I know NODE_EXTRA_CA_CERTS do work (we used this technique previously for the hosted offering), so this must be some configuration issues (maybe the path was not actually correct to the cert?)

[AMarti96]

I was able to configure it with NODE_EXTRA_CA_CERTS today, probably the other day I was not doing something correctly...

I am now able to make Unleash verify my postgres certificate, so I would close this issue unless you want to use it to add proper support for passing a cert path to DATABASE_SSL (passing the full contents is as part of the JSON is not the best I'd say)

[AMarti96]

In case somebody faces this situation in the future:

docker run -p 4242:4242 -v /full/path/to/cert.pem:/etc/ssl/postgres-sslcert.pem \
-e DATABASE_HOST=my.postgres.host -e DATABASE_PORT=XXXX \
-e DATABASE_NAME=unleash -e DATABASE_USERNAME=unleash_user \
-e DATABASE_PASSWORD=some_password \
-e NODE_EXTRA_CA_CERTS="/etc/ssl/postgres-sslcert.pem" \
-e DATABASE_SSL="{ \"rejectUnauthorized\": true}"  \
unleashorg/unleash-server

[gastonfournier]

Reopening based of this conversation in our community Slack: https://unleash-community.slack.com/archives/C03GWTN7XMG/p1689777281226039 where using NODE_EXTRA_CA_CERTS works well, but using DATABASE_SSL without rejectUnauthorized: false does not work (it does work with rejectUnauthorized, treating the certificate as self signed)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.