Closed alco closed 3 months ago
Found another issue with DO's managed Postgres while testing this fix:
14:56:49.189 pid=<0.3377.0> [error] GenServer #PID<0.3377.0> terminating
** (stop) exited in: :options.incompatible({:verify, :verify_peer}, {:cacerts, :undefined})
** (EXIT) :ssl_negotiation_failed
Last message (from #PID<0.3370.0>): {:command, :epgsql_cmd_connect, %{...}}
▓ ┌────────────────────┐
▓ │ CONNECTION ERROR │
▓ ┕━━━━━━━━━━━━━━━━━━━━┙
▓
▓ Failed to initialize Postgres state:
▓ {:error, {:ssl_negotiation_failed, {:options, :incompatible, [verify: :verify_peer, cacerts: :undefined]}}}
▓
▓ Double-check the value of DATABASE_URL and make sure your database
▓ is running and can be reached using the connection URL in DATABASE_URL.
14:56:49.190 pid=<0.3370.0> origin=postgres_1 [error] Initialization of Postgres state failed with reason: {:error, {:ssl_negotiation_failed, {:options, :incompatible, [verify: :verify_peer, cacerts: :undefined]}}}.
When we upgraded the sync service to OTP 27.0, we missed the changed default from
verify_none
toverify_peer
in SSL connections.We now explicitly set
verify
toverify_none
because it's currently the only way to ensure encrypted connections work even when a faulty certificate chain is presented by the PG host. This behaviour matches that ofpsql <DATABASE_URL>?sslmode=require
.Here's an example of connecting to DigitalOcean's Managed PostgreSQL to illustrate the point:
Fix #1395.