Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App cannot connect to a managed postgresql cluster on digitalocean #55

Closed
conorsch opened this issue Sep 19, 2024 · 0 comments · Fixed by #56
Closed

App cannot connect to a managed postgresql cluster on digitalocean #55

conorsch opened this issue Sep 19, 2024 · 0 comments · Fixed by #56
Assignees
@conorsch

Comments

@conorsch
Copy link
Contributor

When connecting to a remote TLS endpoint for the postgres database, specifically hosted on DigitalOcean's managed setup, the app throws the error SELF_SIGNED_CERT_IN_CHAIN:

-- [2024-09-19T20:37:35.517Z] 0.002 GET /favicon.ico
Error fetching block data: Error: self-signed certificate in certificate chain
    at /app/node_modules/.pnpm/pg-pool@3.6.2_pg@8.12.0/node_modules/pg-pool/index.js:45:11
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async s.query (/app/.next/server/pages/api/blocks/[...params].js:1:1099)
    at async s.fetchMostRecentNBlocks (/app/.next/server/pages/api/blocks/[...params].js:117:14)
    at async o (/app/.next/server/pages/api/blocks/[...params].js:131:1546)
    at async K (/app/node_modules/.pnpm/next@14.2.9_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:16881)
    at async U.render (/app/node_modules/.pnpm/next@14.2.9_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:17520)
    at async NextNodeServer.runApi (/app/node_modules/.pnpm/next@14.2.9_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/next-server.js:598:9)
    at async NextNodeServer.handleCatchallRenderRequest (/app/node_modules/.pnpm/next@14.2.9_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/next-server.js:269:37)
    at async NextNodeServer.handleRequestImpl (/app/node_modules/.pnpm/next@14.2.9_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:813:17) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
-- [2024-09-19T20:37:35.427Z] 0.101 GET /api/blocks/50

Note that psql works just fine with this URL, so the connection problem is specific to the application code. We encountered the same problem in Cuiloa: penumbra-zone/cuiloa#193 and decided that providing a mechanism for supplying a CA_CERT env var was a good enough workaround.
@conorsch conorsch self-assigned this Sep 19, 2024
conorsch added a commit that referenced this issue Sep 19, 2024
@conorsch
feat: support CA_CERT env var override
7a0ceef 
Adds opt-in support for declaring a CA certificate value for the
database TLS connection. Some managed postgres solutions, such as
DigitalOcean's, require this setting. In order to use it:

  1. set the CA_CERT env var with the string contents of the db's CA
  2. remove the `sslmode=require` from the connection auth string

The need for 2 is because the `connectionString` param clobbers
any manual `ssl` opts in the db config, and is documented here [0].

Closes #55.

[0] https://node-postgres.com/features/ssl#usage-with-connectionstring
conorsch added a commit that referenced this issue Sep 19, 2024
@conorsch
feat: support CA_CERT env var override
9898885 
Adds opt-in support for declaring a CA certificate value for the
database TLS connection. Some managed postgres solutions, such as
DigitalOcean's, require this setting. In order to use it:

  1. set the CA_CERT env var with the string contents of the db's CA
  2. remove the `sslmode=require` from the connection auth string

The need for 2 is because the `connectionString` param clobbers
any manual `ssl` opts in the db config, and is documented here [0].

Closes #55.

[0] https://node-postgres.com/features/ssl#usage-with-connectionstring
@conorsch conorsch mentioned this issue Sep 19, 2024
Merged
conorsch added a commit that referenced this issue Sep 19, 2024
@conorsch
feat: support PENUMBRA_INDEXER_CA_CERT env var override
b75de80 
Adds opt-in support for declaring a CA certificate value for the
database TLS connection. Some managed postgres solutions, such as
DigitalOcean's, require this setting. In order to use it:

  1. set the PENUMBRA_INDEXER_CA_CERT env var with the string contents of the db's CA
  2. remove the `sslmode=require` from the connection auth string

The need for 2 is because the `connectionString` param clobbers
any manual `ssl` opts in the db config, and is documented here [0].

Closes #55.

[0] https://node-postgres.com/features/ssl#usage-with-connectionstring
conorsch added a commit that referenced this issue Sep 19, 2024
@conorsch
feat: support PENUMBRA_INDEXER_CA_CERT env var override
bfa7f28 
Adds opt-in support for declaring a CA certificate value for the
database TLS connection. Some managed postgres solutions, such as
DigitalOcean's, require this setting. In order to use it:

  1. set the PENUMBRA_INDEXER_CA_CERT env var with the string contents of the db's CA
  2. remove the `sslmode=require` from the connection auth string

The need for 2 is because the `connectionString` param clobbers
any manual `ssl` opts in the db config, and is documented here [0].

Closes #55.

[0] https://node-postgres.com/features/ssl#usage-with-connectionstring
conorsch added a commit that referenced this issue Sep 19, 2024
@conorsch
feat: support PENUMBRA_INDEXER_CA_CERT env var override
e2cff0e 
Adds opt-in support for declaring a CA certificate value for the
database TLS connection. Some managed postgres solutions, such as
DigitalOcean's, require this setting. In order to use it:

  1. set the PENUMBRA_INDEXER_CA_CERT env var with the string contents of the db's CA
  2. remove the `sslmode=require` from the connection auth string

The need for 2 is because the `connectionString` param clobbers
any manual `ssl` opts in the db config, and is documented here [0].

Closes #55.

[0] https://node-postgres.com/features/ssl#usage-with-connectionstring
conorsch added a commit that referenced this issue Sep 20, 2024
@conorsch
feat: support PENUMBRA_INDEXER_CA_CERT env var override
0679a10 
Adds opt-in support for declaring a CA certificate value for the
database TLS connection. Some managed postgres solutions, such as
DigitalOcean's, require this setting. In order to use it:

  1. set the PENUMBRA_INDEXER_CA_CERT env var with the string contents of the db's CA
  2. remove the `sslmode=require` from the connection auth string

The need for 2 is because the `connectionString` param clobbers
any manual `ssl` opts in the db config, and is documented here [0].

Closes #55.

[0] https://node-postgres.com/features/ssl#usage-with-connectionstring
conorsch added a commit to penumbra-zone/penumbers that referenced this issue Oct 8, 2024
@conorsch
ci: add nix env and starter gha workflows
ee0bde9 
Creates an initial skeleton for CI runs, based on the standard JS
tooling we support in other repos. The changes are unobjectionable:
containerfile for building images, nix env with justfile for common
local commands.

Also modified the app code slightly to accept an optional database CA
cert, which is necessary for the managed db services when leveraging
node-postgres; see related discussion in [0].

Overhauls the README based on all the above.

[0] penumbra-zone/dex-explorer#55
@conorsch conorsch mentioned this issue Oct 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@conorsch conorsch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support PENUMBRA_INDEXER_CA_CERT env var override penumbra-zone/dex-explorer
1 participant
@conorsch