search

jakajancar / pgc4d

A full-featured PostgreSQL Client for Deno
MIT License
21 stars 3 forks source link

Unable to connect to Heroku Postgres using pgcd4 package #1

Open devanandp opened 4 years ago

devanandp commented 4 years ago

I am getting the following error :

Compile file:///Users/devanand/Documents/Projects/Deno/deno-experiments/models/database.ts WARN RS - rustls::session:718 - Sending fatal alert BadCertificate error: Uncaught InvalidData: invalid certificate: UnknownIssuer

Steps:

  1. Create a Heroku postgres database
  2. Connect to our deno using pgcd4 package

Note :

Heroku Postgres needs SSL connection to run through

jakajancar commented 4 years ago

It's because Heroku uses a self-signed certificate.

Pulling the certificate using openssl s_client and specifying certFile resolves the the UnknownIssuer error, but causes CertNotValidForName. This is because the cert is issued for ip-x-x-x-x.ec2.internal.

However, adding the hostname to /etc/hosts and connecting to it instead of the EC2 external hostname (or overwriting hostname in the call to Deno.startTls) doesn't change anything, which I do not yet understand.

jakajancar commented 4 years ago

Filed an issue here: https://github.com/denoland/deno/issues/5986

devanandp commented 4 years ago

It's because Heroku uses a self-signed certificate.

Pulling the certificate using openssl s_client and specifying certFile resolves the the UnknownIssuer error, but causes CertNotValidForName. This is because the cert is issued for ip-x-x-x-x.ec2.internal.

However, adding the hostname to /etc/hosts and connecting to it instead of the EC2 external hostname (or overwriting hostname in the call to Deno.startTls) doesn't change anything, which I do not yet understand.

devanand@Devanands-MacBook-Air ~ % openssl s_client -connect ec2-23-23-245-89.compute-1.amazonaws.com:5432 -showcerts CONNECTED(00000005) 4401974892:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/ssl/ssl_pkt.c:585:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1590953952 Timeout : 7200 (sec)

What does this mean? Does it mean my Heroku server doesn't have any Certificates? Can you help?

jakajancar commented 4 years ago

@devanandp I do not know how to solve this right now, and without digging into the Deno/rustls/webpki source, it will likely not be possible.

I would try Amazon RDS if I were you. Curious if that works. You'll need to set this as the certFile.

jakajancar commented 4 years ago

Just wanted to confirm that Amazon RDS works, so you might want to use that instead. It's much more full-featured anyways.

devanandp commented 4 years ago

Sure @jakajancar I will try with that