LemmyNet
[Bug]: Unable to connect to TLS Postgres Pool
Requirements
- [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
- [X] Did you check to see if this issue already exists?
- [X] Is this only a single bug? Do not put multiple bugs in one issue.
- [X] Do you agree to follow the rules in our Code of Conduct?
- [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.
Summary
After updating from 0.19.3 to 0.19.4, the backend fails to connect successfully to a TLS-required postgres pool (using pgbouncer).
pgbouncer shows the client attempting to connect and immediately closing the connection after 0s:
2024-06-10 18:03:24.702 UTC [6] LOG C-0x558e29389c30: lemmy/[email protected]:60720 login attempt: db=lemmy user=lemmy tls=TLSv1.3/TLS_AES_256_GCM_SHA384
2024-06-10 18:03:24.740 UTC [6] LOG C-0x558e29389c30: lemmy/[email protected]:60720 closing because: client close request (age=0s)
The lemmy backend container reports:
Lemmy v0.19.4
2024-06-10T18:03:37.268466Z INFO lemmy_db_schema::schema_setup: Running Database migrations (This may take a long time)...
2024-06-10T18:03:37.302547Z INFO lemmy_db_schema::schema_setup: Database migrations complete.
thread 'main' panicked at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.23.9/src/crypto/mod.rs:259:14:
no process-level CryptoProvider available -- call CryptoProvider::install_default() before this point
stack backtrace:
0: 0x55ebfd669be2 - <unknown>
1: 0x55ebfc3d161c - <unknown>
2: 0x55ebfd666cff - <unknown>
3: 0x55ebfd6699b4 - <unknown>
4: 0x55ebfd66b0ed - <unknown>
5: 0x55ebfd66ae4c - <unknown>
6: 0x55ebfd66b55e - <unknown>
7: 0x55ebfd66b452 - <unknown>
8: 0x55ebfd66a086 - <unknown>
9: 0x55ebfd66b194 - <unknown>
10: 0x55ebfc249d65 - <unknown>
11: 0x55ebfc3ced81 - <unknown>
12: 0x55ebfc249d2b - <unknown>
13: 0x55ebfd5f2665 - <unknown>
14: 0x55ebfd5df370 - <unknown>
I suspect this is related to this change: https://github.com/LemmyNet/lemmy/pull/4690
Steps to Reproduce
- Upgrade from 0.19.3 to 0.19.4 when using a postgres pool and pgbouncer
- Observe that TLS connection appears to be failing
Technical Details
Running lemmy on kubernetes using this helm chart: https://gitlab.com/ananace/charts/-/tree/master/charts/lemmy
Using this Postgres Operator: https://github.com/CrunchyData/postgres-operator which forces TLS by default
Version
0.19.4
Lemmy Instance URL
lemmy.cloudhub.social
So, I guess there was an update to rusttls that didn't add a default tls provider. That'll probably need an update to the project I guess.
sorry, i don't have lemmy working locally anymore so i can't really work on it.
I was able to work around this by setting lemmy to "prefer" ssl, and the same for pgbouncer. It's not currently encrypted, but that's less of a concern for me.
I tried the suggested changes in a PR but the tests kept failing, and I've never worked with rust to start figuring out how to implement it. Based on what I saw during debugging, that does look like the correct way to implement the default provider, I'm just not sure if I was putting it in the right spot or something.
Looking at the test output, clippy was installing the rustls crate, but it couldn't seem to find it when doing the config.
Might still be an issue on latest:
I am experiencing the same issue in the latest version.
fwiw pict-rs installs a provider on it's own if one is not already set. If you care about your provider taking precedence it needs to be installed before pict-rs is started
@makotech222 What do you mean, moved the code back to main? Could you do a PR to fix this?
moved the init code back to main(). The first PR that was made had this, but i think some formatter thing complained in the PR, and it got moved to where it is now. My screenshot is also showing the correct place for it.
You can't run these commands?
git clone https://github.com/LemmyNet/lemmy
git checkout -b fix_tls_pool
???