Open HaithamMaya opened 5 years ago
In my docker:
ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /certs/rds-combined-ca-bundle.pem
My code:
ctx = ssl.create_default_context(cafile='/certs/rds-combined-ca-bundle.pem')
DATABASE_CONFIG = {
'host': os.environ['DATABASE_HOST'],
'port': os.environ['DATABASE_PORT'],
'database': os.environ['DATABASE_NAME'],
'user': os.environ['DATABASE_USER'],
'password': os.environ['DATABASE_PASSWORD'],
'ssl': ctx
}
app.pool = await asyncpg.create_pool(**DATABASE_CONFIG, loop=loop, max_size=100)
Turning off verification works, but its not really a solution:
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
This seems like a server-side issue.
@elprans downgrading from python:3.7.4-slim
to python:3.7.3-slim
completely fixes the issue.
There has probably been a change in Python ssl
module policy that made RDS certs to be treated as insecure by default. asyncpg
itself doesn't impose a specific policy and simply uses the Python default.
FYI, that update to _ssl .so dynlib had broken a lot of connectors, including MySQL. I'd suggest if that happens again try to detect what module imports ssl. For example, MySQL conn works perfectly if import _ssl
is not issued.
An issue very similar to #238 started occuring 3 days ago after python 3.7.4 was released. Pinning my docker to 3.7.3-slim fixed the issue.