search

nhost / hasura-backend-plus

🔑Auth and 📦Storage for Hasura. The quickest way to get Auth and Storage working for your next app based on Hasura.
https://nhost.github.io/hasura-backend-plus/
MIT License
1.17k stars 187 forks source link

Reload loop if databases uses a self-signed SSL certificate #639

Open pk992 opened 3 years ago

pk992 commented 3 years ago

Describe the bug In any hasura-backend-plus version released after v2.4.0, the container throws a warning if the PostgreSQL connection string uses sslmode=required and the used certificate on the database server is self-signed. This seems to prevent HBP from starting and results in a restart loop.

To Reproduce Steps to reproduce the behavior:

  1. Setup a recent version of HBP and Hasura with any valid config (example below)
  2. Use a SSL connection string i.e. postgresql://user:pass@my-db-hosting.com:25060/default?sslmode=require on a SSL enabled database
  3. Check the container logs

Expected behavior HBP should start regardless of the warning.

Output

yarn run v1.22.5
$ node -r ./dist/start.js
Applying migrations
(node:27) UnhandledPromiseRejectionWarning: Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (_tls_wrap.js:1514:34)
    at TLSSocket.emit (events.js:375:28)
    at TLSSocket.emit (domain.js:470:12)
    at TLSSocket._finishInit (_tls_wrap.js:936:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:708:12)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:27) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:27) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Done in 2.36s.

Additional context The managed database hosting I used in this case was at Digitalocean. They provide a certificate to download but it's not possible to use a non-SSL connection.

The docker-compose.yaml below setups Hasura, HBP and PostgreSQL with SSL (tested on a DO Hasura Droplet with Ubuntu 18.04)

version: '3.6'
services:
  postgres:
    image: postgres:12
    restart: always
    volumes:
    - db_data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: postgrespassword
    command: >
      -c ssl=on 
      -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
      -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    volumes:
    - './keys:/var/lib/postgresql'      
  graphql-engine:
    image: hasura/graphql-engine:v2.0.4
    depends_on:
    - "postgres"
    restart: always
    environment:
      HASURA_GRAPHQL_METADATA_DATABASE_URL: postgres://postgres:postgrespassword@postgres:5432/postgres?sslmode=require
      HASURA_GRAPHQL_ENABLE_CONSOLE: "true"
      HASURA_GRAPHQL_DEV_MODE: "true"
      HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
      HASURA_GRAPHQL_JWT_SECRET: >-
        {"type": "HS512", "key": "randomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandom"}      
    command:
    - graphql-engine
    - serve
  hasura-backend-plus:
    image: nhost/hasura-backend-plus:v2.7.1
    depends_on:
    - "graphql-engine"
    restart: always
    ports:
    - "4000:4000"
    environment:
      HOST: 0.0.0.0
      PORT: 4000
      DATABASE_URL: >-
        postgres://postgres:postgrespassword@postgres:5432/postgres?sslmode=require
      SERVER_URL: "http://localhost:4000"
      HASURA_ENDPOINT: "http://graphql-engine:8080/v1/graphql"
      HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
      JWT_ALGORITHM: HS512
      JWT_KEY: randomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandom
      STORAGE_ENABLED: 'false'    
  caddy:
    image: caddy/caddy
    depends_on:
    - "graphql-engine"
    restart: always
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - ./Caddyfile:/etc/caddy/Caddyfile
    - caddy_certs:/root/.caddy
volumes:
  db_data:
  caddy_certs:
makstr commented 2 years ago

Tryadding adding NODE_TLS_REJECT_UNAUTHORIZED: '0' to your hbp compose file