-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
self signed certificate error #2009
Comments
If I’m reading bf029c8 correctly, I think there may have been a bunch of options (including rejectUnauthorized) being inadvertently set to falsy values. They are now not set at all unless you pass them in. The last release was a breaking change, but it’s probably easiest to fix by passing rejectUnauthorized: false to pg. |
Sorry, I think I actually meant checkServerIdentity. |
Well, it’s a good thing that was fixed. We should probably add a test for it. It might also be worth a security announcement (@brianc). |
God I thought I was going crazy! Thanks for this info rolling back to 7.12 worked for me. |
I am facing the same issue. Rolling back to |
Spotted that in our staging system (heroku), happy to give more details. |
I'm using Sequelize as well and I got the "self signed certificate in chain" error until I rolled back to 7.12.1 |
This one one of the most painful bugs I had to identify. |
Same here. Very hard to identify. The only error message we got is:
And we noticed that it occurs when we query PSQL. Downgraded to |
If it may help someone else, we just added the
lets say the error is still there, but we are not being notified, and the backend is not crashing anymore. Just adjust the configuration according to your own needs. |
Gah, I apologize for this! There aren't enough tests around self-signed cert connecting with node-postgres in travis so it was missed. Totally accidental on my part! I'm going to roll out a backwards-compatible (to the 7.x line) semver patch on top of this one to make sure it behaves exactly as it should. @charmander what do you mean about security announcement? This makes things more secure now right? By forcing unauthorized cert rejection, where as before it was ignoring it? We should probably make the defaults be the same as the node.js defaults in v8.0. Do you mean announcing the current behavior is insecure in that it allows unauthorized certs unless you specifically set |
Okay - released I'd like to get self-signed and "proper" ssl connections tested in travis. Anyone have a docker file handy that sets both of those things up? Then we can be covered on this behavior going forward. |
@brianc Yep, it does! I meant an announcement that pg 0.8.7 through 7.12.0 don’t check certificates. (edit)
Yes, exactly that. |
+1 to having the default in a new major being to validate so that it's an explicit action to disable things. FYI, the default for libpq (ex: via psql) is not to validate either so the default behavior of this module till now is not totally crazy either. May be worth calling that out in any security announcement: https://www.postgresql.org/docs/current/libpq-ssl.html (Still a +1 to making a security note calling out the behavior) |
@brianc RE: a test setup, the defaults for a Debian / Ubuntu postgresql server install configures it to use a self signed "snake oil" cert. Setting it up in Docker container should be similar. The PGJDBC driver has a whole bunch of SSL related configs and tests for running things on Travis. Includes overwriting the certs, setting up specific users, installing the sslinfo extension for verifying things. May be worth a peek: https://github.com/pgjdbc/pgjdbc |
any news on this subject? any pg version that properly supports self signed certs? |
I'll add this to [email protected] which is under active development & should be released in a week or two, so will look at this shortly sorry for the delay |
@hghammoud What’s “properly”? If you mean the behaviour of not verifying certificates, that was already restored in 7.14.0. If you want verification, you’ll have to specify options like: {
ssl: {
rejectUnauthorized: true,
ca: /* the certificate */,
},
} and that’s not going to change with 8.0 except for |
Yes, it treats `undefined` as `false`. Discussion in brianc#2009. Introduced unintentionally in pg 0.8.7.
Yes, it treats `undefined` as `false`. Discussion in #2009. Introduced unintentionally in pg 0.8.7.
@charmander - I was looking at the postgres docs... https://www.postgresql.org/docs/9.1/libpq-ssl.html Particularly at "Table 31-1. SSL Mode Descriptions" - I think specifying Other than that I'm not even totally sure deprecating the ability to leave it |
It’s in line with how libpq does things, but I still think it’s better to be secure by default – in line with Node’s tls. I was surprised by it, at least, but maybe that was influenced by reading the code (which can make for misleading reading because the change to not verifying by default was an accident). Parsing libpq’s connection strings into the appropriate settings would be a good change, though, yeah. (And to be clear, the deprecating the ability to leave it undefined isn’t supposed to be permanent, right? It’ll default to |
Well that's why I brought it up - I'm not sure we should default to
I guess we could do that....you're right its more secure by default. I think in that case we should make sure if you use the environment variables:
We pass the proper value of either |
To elaborate on these changes a bit I think it should be like...
I think in every case we want the connection parameters (which parse env vars) to generate a default ssl config, and in every case we want to allow any custom e.g.
should make it reject unauthorized. Anything you pass explicitly to |
I'll document these permutations and also include a note to discourage the use of |
this topic helped me https://stackoverflow.com/questions/61097695/self-signed-certificate-error-during-query-the-heroku-hosted-postgres-database/66773313#66773313 |
Hi all! I'm running into the same issue, but none of the recommended fixes seem to work. My setup:
My Sequelize connection parameters:
What I've tried:
1-5 have no effect, and rolling back to pg v7 breaks the app (locally, any attempted reads/writes to the database hang with no error message; on heroku, the db:migrate command runs without an error message, but the db isn't updated). I assume that pg v7 is incompatible with my Node version or some other package version in my project, but I have no idea how to figure out what a compatible version set would be other than by trial and error, which isn't feasible. Also, as a side note, this is a hobby project so I'm not worried about MITM attacks. Interestingly, I'm able to connect to my Heroku database just fine when I run Any ideas how I can fix this one? Any and all help would be much appreciated! Also posted this to StackOverflow if folks would like internet points. |
@WithoutATowel If it’s being passed directly to pg, the value of |
Lol... Thank you @charmander! |
- updated to the latest modules - fixed an issue encountered with the pg module described here: brianc/node-postgres#2009 (comment)
@adrianhorning08 hi! I also use DO managed database but it doesn't work for me. I don't understand what I'm doing wrong.
|
Hi all, Having the same issue here. Even after setting dialectOptions as suggested previously in the thread. I've got;
And I'm still getting:
Is there anything else I could try? |
@sted6 The spelling is |
@charmander uhg I could of swore I even copy pasted that. Thank you so much. |
Hi, I've tried all mentioned options but am still having issues. I've posted my issue here: https://stackoverflow.com/questions/68327934/error-self-signed-certificate-while-running-sequelize-dbmigrate-on-heroku. Any help would be greatly appreciated. Thank you! |
@forrestpark Same typo as @sted6, it’s |
This comment has been minimized.
This comment has been minimized.
hello everyone, i have the same problem and ive tried litterally everything i found, from global variables on heroku to all kinds of those params: const sequelize = new Sequelize(database, user, password, { |
Should be |
yeahh that was just a mistake that i copy pasted ahah ive tried without it and still the same error, ive tried like this dialectOptions: { |
Pls help, I have try all the answer here, nothing seems to work for me.
I also added this as an env in heroku Thanks in advance 🙏🙏 |
@Tosinkoa You haven’t passed the pool to connect-pg-simple in that code, so none of the configuration other than |
Everything works fine now, thank you so much.
|
I have the following const { Pool } = require('pg');
const { parse } = require('pg-connection-string');
const config = parse(process.env.DATABASE_URL);
config.ssl = { rejectUnauthorized: true };
const pool = new Pool(config);
pool.connect((err, client, done) => {
if (err) {
console.error('Error acquiring client', err.stack);
return;
}
const testQuery = 'SELECT * FROM information_schema.tables';
client.query(testQuery, (err, result) => {
done();
if (err) {
console.error('Error executing query', err.stack);
return;
}
console.log('Query result:', result.rows);
pool.end();
});
}); Before running the script I am exporting the My question is how can I enforce the I have tried the following config.ssl = {
rejectUnauthorized: true,
sslmode: 'verify-full',
ca: fs.readFileSync('./global-bundle.pem').toString(),
}; However it is as if the |
@pantelis-karamolegkos config.ssl = {
ca: fs.readFileSync('./global-bundle.pem'),
}; |
Hi. Sorry ahead of time, I don't have a lot of detail here. We updated our packages today and afterwards started seeing a connection error from Sequelize ORM: "self signed certificate". We do in fact use a self signed certificate but this has never been a problem for us in the past. We downgraded from [email protected] to [email protected] and then we were able to connect again.
The text was updated successfully, but these errors were encountered: