can't get this to work with supabase trial

[evanrich]

I'm running supabase hosted, not locally. I'm using the following config.yaml:

# yaml-language-server: $schema=../schema/schema.json
telemetry:
  disable_telemetry_sharing: false
replication:
  connections:
    - type: postgresql
      uri: "postgresql://postgres.[pooler-user-name]:[my-super-secret-password]@aws-0-us-west-1.pooler.supabase.com:6543/postgres"
      sslmode: verify-full # 'verify-full' (default) or 'verify-ca' or 'disable'
      cacert: /config/prod-ca-2021.crt
storage:
  type: mongodb
  uri: mongodb://powersync-mongodb.powersync.svc:27017/
  username: powersync
  password: powersync-password
port: 80
sync_rules:
  content: |
    bucket_definitions:
      user_buckets:
          parameters: SELECT request.user_id() as user_id
          data:
            - SELECT * FROM lists where lists.owner_id = bucket.user_id

      global:
        data:
          - SELECT * FROM books
client_auth:
  supabase: true
#  jwks_uri: !env PS_JWKS_URL
  audience: ["powersync-dev", "powersync"]

I have this running in kubernetes. the "prod-ca-2021.crt" is from supabase, where i downloaded the cert from the database page. when i run the container, i get the following error:

{"code":"SELF_SIGNED_CERT_IN_CHAIN","level":"error","message":"cause self-signed certificate in certificate chain","stack":"Error: self-signed certificate in certificate chain\n    at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)\n    at TLSSocket.emit (node:events:518:28)\n    at TLSSocket._finishInit (node:_tls_wrap:1085:8)\n    at ssl.onhandshakedone (node:_tls_wrap:871:12)","timestamp":"2024-10-20T23:27:19.646Z"}
{"cause":{"code":"SELF_SIGNED_CERT_IN_CHAIN"},"level":"error","message":"Replication failed on powersync_1_864d self-signed certificate in certificate chain","name":"PgError","stack":"PgError: self-signed certificate in certificate chain\n    at PgConnection.start (file:///app/node_modules/.pnpm/pgwire@https+++codeload.github.com+kagis+pgwire+tar.gz+f1cb95f9a0f42a612bb5a6b67bb2eb793fc5fc87/node_modules/pgwire/mod.js:270:13)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async Module.pgconnect (file:///app/node_modules/.pnpm/pgwire@https+++codeload.github.com+kagis+pgwire+tar.gz+f1cb95f9a0f42a612bb5a6b67bb2eb793fc5fc87/node_modules/pgwire/mod.js:28:3)\n    at async Module.pgconnect (file:///app/packages/jpgwire/dist/pgwire.js:8:12)\n    at async Module.connectPgWire (file:///app/packages/jpgwire/dist/util.js:72:24)\n    at async PgManager.replicationConnection (file:///app/packages/service-core/dist/util/PgManager.js:16:16)\n    at async WalStream.replicate (file:///app/packages/service-core/dist/replication/WalStream.js:432:43)\n    at async WalStreamRunner.replicateOnce (file:///app/packages/service-core/dist/replication/WalStreamRunner.js:72:13)\n    at async WalStreamRunner.replicateLoop (file:///app/packages/service-core/dist/replication/WalStreamRunner.js:45:13)\n    at async WalStreamRunner.run (file:///app/packages/service-core/dist/replication/WalStreamRunner.js:23:13)","timestamp":"2024-10-20T23:27:19.646Z"}
{"cause":{"code":"SELF_SIGNED_CERT_IN_CHAIN"},"level":"error","message":"Replication error self-signed certificate in certificate chain","name":"PgError","stack":"PgError: self-signed certificate in certificate chain\n    at PgConnection.start (file:///app/node_modules/.pnpm/pgwire@https+++codeload.github.com+kagis+pgwire+tar.gz+f1cb95f9a0f42a612bb5a6b67bb2eb793fc5fc87/node_modules/pgwire/mod.js:270:13)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async Module.pgconnect (file:///app/node_modules/.pnpm/pgwire@https+++codeload.github.com+kagis+pgwire+tar.gz+f1cb95f9a0f42a612bb5a6b67bb2eb793fc5fc87/node_modules/pgwire/mod.js:28:3)\n    at async Module.pgconnect (file:///app/packages/jpgwire/dist/pgwire.js:8:12)\n    at async Module.connectPgWire (file:///app/packages/jpgwire/dist/util.js:72:24)\n    at async PgManager.replicationConnection (file:///app/packages/service-core/dist/util/PgManager.js:16:16)\n    at async WalStream.replicate (file:///app/packages/service-core/dist/replication/WalStream.js:432:43)\n    at async WalStreamRunner.replicateOnce (file:///app/packages/service-core/dist/replication/WalStreamRunner.js:72:13)\n    at async WalStreamRunner.replicateLoop (file:///app/packages/service-core/dist/replication/WalStreamRunner.js:45:13)\n    at async WalStreamRunner.run (file:///app/packages/service-core/dist/replication/WalStreamRunner.js:23:13)","timestamp":"2024-10-20T23:27:49.697Z"}

this works with hosted powersync, which uses the ipv6 url to connect, but when self hosting i have to use the pooler connection.

[rkistner]

The Supabase pooler is not supported for PowerSync, since it doesn't support logical replication. You either have to use IPv6, or enable the "Dedicated IPv4 address" Supabase add-on.

That said, I'm not sure why you're getting that error - the cert should be correct. We also include the same cert automatically, so you don't actually need to specify cacert for Supabase.