node-postgres icon indicating copy to clipboard operation
node-postgres copied to clipboard
verified publisher icon brianc

Support the PGSSLCERT, PGSSLKEY, PGSSLROOTCERT environment variables

Open rafiss opened this issue 3 years ago • 4 comments

Summary

According to the docs, node-postgres uses the same environment variables as libpq to connect to a PostgreSQL server.

However, PGSSLCERT, PGSSLKEY, PGSSLROOTCERT are not supported.

To reproduce

Use the following script

const {Client, Pool} = require("./packages/pg")

const client = new Client()
client.connect(err => {
if (err) {
    console.error('error connecting', err.stack)
} else {
    console.log('connected')
    client.end()
}
})

const pool = new Pool()
pool
.connect()
.then(client => {
    console.log('connected')
    client.release()
})
.catch(err => console.error('error connecting', err.stack))
.then(() => pool.end())

Run it with PGSSLMODE=require PGSSLCERT=/home/ubuntu/certs/client.testuser.crt PGSSLROOTCERT=/home/ubuntu/certs/ca.crt PGSSLKEY=/home/ubuntu/certs/client.testuser.key PGHOST=localhost PGPORT=26257 PGUSER=root node test.js

It results in the error

error connecting Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
error connecting Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)

This is because the ssl field in ConnectionParameters is simply set to true and the certs fields are not populated

ConnectionParameters {
  user: 'root',
  database: 'root',
  port: 26257,
  host: 'localhost',
  binary: false,
  options: undefined,
  ssl: true,
  client_encoding: '',
  replication: undefined,
  isDomainSocket: false,
  application_name: undefined,
  fallback_application_name: undefined,
  statement_timeout: false,
  idle_in_transaction_session_timeout: false,
  query_timeout: false,
  connect_timeout: 0
}

Desired solution

My colleague @RichardJCai has created this PR https://github.com/brianc/node-postgres/pull/2517

rafiss avatar Mar 19 '22 00:03 rafiss

any solution to the problem? @rafiss

ghost avatar Jun 17 '22 08:06 ghost

Yes the PR I linked in my issue report under "Desired solution" addresses the problem.

rafiss avatar Jun 17 '22 15:06 rafiss

PR suggested: https://github.com/brianc/node-postgres/pull/2994

dapeleg-dn avatar Jun 01 '23 11:06 dapeleg-dn

PR is ready. Waiting for a maintainer to review and approve.

dapeleg-dn avatar Jun 20 '23 09:06 dapeleg-dn