hasura-backend-plus
hasura-backend-plus copied to clipboard
Published
20 hours ago •
nhost
nhost
Reload loop if databases uses a self-signed SSL certificate
Describe the bug
In any hasura-backend-plus version released after v2.4.0, the container throws a warning if the PostgreSQL connection string uses sslmode=required and the used certificate on the database server is self-signed. This seems to prevent HBP from starting and results in a restart loop.
To Reproduce Steps to reproduce the behavior:
- Setup a recent version of HBP and Hasura with any valid config (example below)
- Use a SSL connection string i.e.
postgresql://user:[email protected]:25060/default?sslmode=requireon a SSL enabled database - Check the container logs
Expected behavior HBP should start regardless of the warning.
Output
yarn run v1.22.5
$ node -r ./dist/start.js
Applying migrations
(node:27) UnhandledPromiseRejectionWarning: Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1514:34)
at TLSSocket.emit (events.js:375:28)
at TLSSocket.emit (domain.js:470:12)
at TLSSocket._finishInit (_tls_wrap.js:936:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:708:12)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:27) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:27) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Done in 2.36s.
Additional context The managed database hosting I used in this case was at Digitalocean. They provide a certificate to download but it's not possible to use a non-SSL connection.
The docker-compose.yaml below setups Hasura, HBP and PostgreSQL with SSL (tested on a DO Hasura Droplet with Ubuntu 18.04)
version: '3.6'
services:
postgres:
image: postgres:12
restart: always
volumes:
- db_data:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: postgrespassword
command: >
-c ssl=on
-c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
volumes:
- './keys:/var/lib/postgresql'
graphql-engine:
image: hasura/graphql-engine:v2.0.4
depends_on:
- "postgres"
restart: always
environment:
HASURA_GRAPHQL_METADATA_DATABASE_URL: postgres://postgres:postgrespassword@postgres:5432/postgres?sslmode=require
HASURA_GRAPHQL_ENABLE_CONSOLE: "true"
HASURA_GRAPHQL_DEV_MODE: "true"
HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
HASURA_GRAPHQL_JWT_SECRET: >-
{"type": "HS512", "key": "randomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandom"}
command:
- graphql-engine
- serve
hasura-backend-plus:
image: nhost/hasura-backend-plus:v2.7.1
depends_on:
- "graphql-engine"
restart: always
ports:
- "4000:4000"
environment:
HOST: 0.0.0.0
PORT: 4000
DATABASE_URL: >-
postgres://postgres:postgrespassword@postgres:5432/postgres?sslmode=require
SERVER_URL: "http://localhost:4000"
HASURA_ENDPOINT: "http://graphql-engine:8080/v1/graphql"
HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
JWT_ALGORITHM: HS512
JWT_KEY: randomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandom
STORAGE_ENABLED: 'false'
caddy:
image: caddy/caddy
depends_on:
- "graphql-engine"
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_certs:/root/.caddy
volumes:
db_data:
caddy_certs:
