convex-backend icon indicating copy to clipboard operation
convex-backend copied to clipboard

Published 20 hours ago verified publisher icon get-convex

Add support for self signed certificate for local mysql DB when self-hosting

Open samuelmunyoki opened this issue 10 months ago • 8 comments

Any way to pass a self signed cert path to the db connection for self hosted convex?

2025-01-27T09:24:02.139891Z ERROR common::errors: Caught error (RUST_BACKTRACE=1 RUST_LOG=info,common::errors=debug for full trace): Error occurred while creating a new object: error performing TLS handshake: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (hostname mismatch): error performing TLS handshake: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (hostname mismatch): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (hostname mismatch): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: 2025-01-27T09:24:02.145306Z ERROR common::errors: Not reporting above error: SENTRY_DSN not set. Error: Error occurred while creating a new object: error performing TLS handshake: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (hostname mismatch)

samuelmunyoki avatar Jan 27 '25 09:01 samuelmunyoki

Hi

I would pretty strongly recommend against modifying the certificate path and just use a properly signed certificate signed by a certificate authority such that the regular cert roots on your machine work.

However, if you know what you're doing and you really want to use a different root cert - you can do it by editing the source code and rebuilding from source.

Your initial post was a little vague, but I am inferring that this is about the SSL connection for connecting to your underlying persistence database. From the sound of it, you're using either postgres/mysql and not sqlite.

If you're connecting to postgres, you can edit the source here https://docs.rs/native-tls/0.1.4/native_tls/struct.TlsConnectorBuilder.html#method.add_root_certificate https://github.com/get-convex/convex-backend/blob/dd1c6e73bc0c7bf792d77a9e53ae5d7bd7a0559e/crates/postgres/src/lib.rs#L198

If mysql, you can edit source here https://docs.rs/mysql_async/latest/mysql_async/struct.OptsBuilder.html#method.ssl_opts https://github.com/get-convex/convex-backend/blob/dd1c6e73bc0c7bf792d77a9e53ae5d7bd7a0559e/crates/mysql/src/connection.rs#L477

Best of luck to you.

nipunn1313 avatar Jan 27 '25 16:01 nipunn1313

This is just untrue "I would pretty strongly recommend against modifying the certificate path and just use a properly signed certificate signed by a certificate authority such that the regular cert roots on your machine work.". Are you honestly saying that CA that is not recognized by docker image provided by you is insecure or improperly signed? Of course you should be able to define who you trust by providing ca certificate (and not modifying anything).

tahvane1 avatar Mar 25 '25 22:03 tahvane1

We'd be open to taking in a PR to accept a different root cert on command line.

Thanks for the followup @tahvane1. Advice is targeted towards folks who don't understand certs well - where if you change the root certs without knowing what you're doing, you can open yourself up to attack. If you have a different set of root CAs that you trust other than the ones in the standard docker image, go for it - change the code. This task and my original response predate our first docker images, so that also changes things - answer feels outdated.

Is that a use case you're running into? I'd be happy to give guidance on how to override or augment the root certs with additional values.

I'll reopen the task to reflect @tahvane1's point.

nipunn1313 avatar Mar 25 '25 23:03 nipunn1313

We always participate on open source projects we utilize. When we test drive new tech we first deploy quick POC to evaluate production readiness (and true open source nature) of solution. We are running kubernetes and cnpg postgres plugin which is pretty common nowadays as far as I know. When evaluation stops for something like this already in the beginning... there probably won't be any PR either... I have not digged into this deeper but based on your answer it is using OS level CA storage so for me "easier" way to proceed for me would be just to provide my own docker image, but again that is more maintenance and more work to get even the POC running...

tahvane1 avatar Mar 26 '25 08:03 tahvane1

Sure thing! That makes sense for your needs.

I'll leave the task open - if folks need configurable root CA, we would take a PR. It would probably be pretty easy.

nipunn1313 avatar Mar 26 '25 17:03 nipunn1313

I did PR for this #66

tahvane1 avatar Mar 26 '25 22:03 tahvane1

looks great! Thanks. That covers postgres (most common choice)

I'll leave task open for covering mysql as well.

nipunn1313 avatar Mar 26 '25 23:03 nipunn1313

Hey @tahvane1, I'd like to inquire as to what your solution was for this? I have this exact same setup using cnpg in my k3s cluster.

If you wouldn't mind sharing what you did to get this working? It would be very much appreciated!!

Update: I managed to figure out a working solution! It can be found in this thread: https://discord.com/channels/1019350475847499849/1216859935288201296/1412444071217070100

l3dotdev avatar Sep 01 '25 20:09 l3dotdev