pgc4d icon indicating copy to clipboard operation
pgc4d copied to clipboard

Published 20 hours ago verified publisher icon jakajancar

Unable to connect to Heroku Postgres using pgcd4 package

Open devanandp opened this issue 4 years ago • 6 comments

I am getting the following error :

Compile file:///Users/devanand/Documents/Projects/Deno/deno-experiments/models/database.ts WARN RS - rustls::session:718 - Sending fatal alert BadCertificate error: Uncaught InvalidData: invalid certificate: UnknownIssuer

Steps:

  1. Create a Heroku postgres database
  2. Connect to our deno using pgcd4 package

Note :

Heroku Postgres needs SSL connection to run through

devanandp avatar May 30 '20 12:05 devanandp

It's because Heroku uses a self-signed certificate.

Pulling the certificate using openssl s_client and specifying certFile resolves the the UnknownIssuer error, but causes CertNotValidForName. This is because the cert is issued for ip-x-x-x-x.ec2.internal.

However, adding the hostname to /etc/hosts and connecting to it instead of the EC2 external hostname (or overwriting hostname in the call to Deno.startTls) doesn't change anything, which I do not yet understand.

jakajancar avatar May 30 '20 22:05 jakajancar

Filed an issue here: https://github.com/denoland/deno/issues/5986

jakajancar avatar May 30 '20 23:05 jakajancar

It's because Heroku uses a self-signed certificate.

Pulling the certificate using openssl s_client and specifying certFile resolves the the UnknownIssuer error, but causes CertNotValidForName. This is because the cert is issued for ip-x-x-x-x.ec2.internal.

However, adding the hostname to /etc/hosts and connecting to it instead of the EC2 external hostname (or overwriting hostname in the call to Deno.startTls) doesn't change anything, which I do not yet understand.

devanand@Devanands-MacBook-Air ~ % openssl s_client -connect ec2-23-23-245-89.compute-1.amazonaws.com:5432 -showcerts CONNECTED(00000005) 4401974892:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/ssl/ssl_pkt.c:585:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1590953952 Timeout : 7200 (sec)

What does this mean? Does it mean my Heroku server doesn't have any Certificates? Can you help?

devanandp avatar May 31 '20 19:05 devanandp

@devanandp I do not know how to solve this right now, and without digging into the Deno/rustls/webpki source, it will likely not be possible.

I would try Amazon RDS if I were you. Curious if that works. You'll need to set this as the certFile.

jakajancar avatar May 31 '20 20:05 jakajancar

Just wanted to confirm that Amazon RDS works, so you might want to use that instead. It's much more full-featured anyways.

jakajancar avatar Jun 01 '20 22:06 jakajancar

Sure @jakajancar I will try with that

devanandp avatar Jun 02 '20 22:06 devanandp