From fe95319b6c6f16a7a66c1d290484f77cec03ed78 Mon Sep 17 00:00:00 2001
From: Thibault Charbonnier <thibaultcha@me.com>
Date: Mon, 25 Sep 2017 11:53:31 -0700
Subject: [PATCH 1/2] fix(postgres) allow self-signed certificates for
 migrations

This fixes a reported issue that Kong would not be able to run
migrations on PostgreSQL with self-signed certificates. The error "self
signed certificate" that Kong raised indicated that the root CA was not
made available to the cosocket in use.

Because the CLI is interpreted by resty-cli, it is too late to set the
resty-cli `lua_ssl_trusted_certificate` directive.

The approach we historically take is to rely on LuaSocket/LuaSec in
Kong's CLI and circumvant this limitation (the root CA file can be
specified at runtime as part of the LuaSocket instantiation options).

Fix #2856
---
 kong/dao/db/postgres.lua | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/kong/dao/db/postgres.lua b/kong/dao/db/postgres.lua
index 6f27f961cb8..ef3ab04fd42 100644
--- a/kong/dao/db/postgres.lua
+++ b/kong/dao/db/postgres.lua
@@ -62,8 +62,16 @@ end
 
 local function query_opts(self)
   local opts = self:clone_query_options()
-  opts.socket_type = forced_luasocket_phases[get_phase()] and
-                     "luasocket" or "nginx"
+
+  if ngx.IS_CLI or forced_luasocket_phases[get_phase()] then
+    -- Force LuaSocket usage in order to allow for self-signed certificates
+    -- to be trusted (via opts.cafile) in the resty-cli interpreter.
+    -- As usual, LuaSocket is also forced in non-supported cosocket contexts.
+    opts.socket_type = "luasocket"
+
+  else
+    opts.socket_type = "nginx"
+  end
 
   return opts
 end

From 68d358b87125a3c17a0a6e7f733879c0aee81867 Mon Sep 17 00:00:00 2001
From: Thibault Charbonnier <thibaultcha@me.com>
Date: Mon, 25 Sep 2017 13:08:22 -0700
Subject: [PATCH 2/2] fix(cassandra) allow self-signed certificates for
 migrations

Follow-up of 5e2d31e9f5d79c901ef5364eb8786c86c0ae5010 for the Cassandra
DAO strategy.
---
 kong/dao/db/cassandra.lua | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kong/dao/db/cassandra.lua b/kong/dao/db/cassandra.lua
index 98571e8d6dd..189d313f36b 100644
--- a/kong/dao/db/cassandra.lua
+++ b/kong/dao/db/cassandra.lua
@@ -62,6 +62,12 @@ function _M.new(kong_config)
   if ngx.IS_CLI then
     local policy = require("resty.cassandra.policies.reconnection.const")
     cluster_options.reconn_policy = policy.new(100)
+
+    -- Force LuaSocket usage in order to allow for self-signed certificates
+    -- to be trusted (via opts.cafile) in the resty-cli interpreter.
+    -- As usual, LuaSocket is also forced in non-supported cosocket contexts.
+    local socket = require "cassandra.socket"
+    socket.force_luasocket("timer", true)
   end
 
   --