Skip to content

postgres sslmode #396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
erhankaradeniz opened this issue Jul 6, 2020 · 14 comments
Closed

postgres sslmode #396

erhankaradeniz opened this issue Jul 6, 2020 · 14 comments
Labels
docs Relates to documentation good first issue Good issue to take for first time contributors question Ask how to do something or how something works stale Did not receive any activity for 60 days

Comments

@erhankaradeniz
Copy link

erhankaradeniz commented Jul 6, 2020
edited by balazsorban44
Loading

Is it possible that the connection breaks when sslmode is set on "require" ?
I'm having trouble connecting to a postgres db where the sslmode is set to require

EDIT FROM MAINTAINER BELOW:

This has been resolved, but the documentation could be improved to avoid people asking this again, as per:

#396 (comment)

#396 (comment)

Feel free to open a PR documenting this!
@erhankaradeniz erhankaradeniz added the question Ask how to do something or how something works label Jul 6, 2020
@erhankaradeniz erhankaradeniz changed the title postgres postgres sslmode Jul 6, 2020
@iaincollins
Copy link
Member

iaincollins commented Jul 7, 2020
edited
Loading

Hmm, I've not run into that using Postgres but I don't think I've explicitly tried it with that option.

This might be a problem with TypeORM.

Based on the comments in that thread, have you tried using ssl=true as the option if using a connection string?

If that doesn't work, to help replicate:

  • Does it only cause issues when it is set and work otherwise?
  • Does it show an error or just seem to stop working?

Any other info we can use to replicate (e.g. does it happen right away, or after it's been running a while, is this locally or in production or both) would be helpful.

@erhankaradeniz
Copy link
Author

Hmm, I've not run into that using Postgres but I don't think I've explicitly tried it with that option.

This might be a problem with TypeORM.

Based on the comments in that thread, ave you tried using ssl=true as the option if using a connection string?

If that doesn't work, to help replicate:

  • Does it only cause issues when it is set and work otherwise?
  • Does it show an error or just seem to stop working?

Any other info we can use to replicate (e.g. does it happen right away, or after it's been running a while, is this locally or in production or both) would be helpful.

Hmm haven't tried using ssl=true but I've tried sslmode="require" which was not working. I'll give it a try.

@erhankaradeniz
Copy link
Author

Hmm, I've not run into that using Postgres but I don't think I've explicitly tried it with that option.

This might be a problem with TypeORM.

Based on the comments in that thread, have you tried using ssl=true as the option if using a connection string?

If that doesn't work, to help replicate:

  • Does it only cause issues when it is set and work otherwise?
  • Does it show an error or just seem to stop working?

Any other info we can use to replicate (e.g. does it happen right away, or after it's been running a while, is this locally or in production or both) would be helpful.

Setting ssl to true, doesn't seem to work.

When I view my vercel logs I have the following errors:

[POST] /api/auth/signin/email
10:04:10:70
2020-07-08T08:04:11.395Z	1b350129-145e-4e5d-b81c-10917696e2e7	ERROR	[next-auth][error][ADAPTER_CONNECTION_ERROR] [
  Error: self signed certificate in certificate chain
      at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
      at TLSSocket.emit (events.js:310:20)
      at TLSSocket._finishInit (_tls_wrap.js:917:8)
      at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12) {
    code: 'SELF_SIGNED_CERT_IN_CHAIN'
  }
] 
https://next-auth.js.org/errors#adapter_connection_error
2020-07-08T08:04:11.395Z	1b350129-145e-4e5d-b81c-10917696e2e7	ERROR	[next-auth][error][GET_USER_BY_EMAIL_ERROR] [
  TypeError: Cannot read property 'getRepository' of null
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:182:31
      at Generator.next (<anonymous>)
      at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)
      at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364
      at new Promise (<anonymous>)
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97
      at _getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:191:32)
      at getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:170:32)
      at /var/task/node_modules/next-auth/dist/server/routes/signin.js:67:28
] 
https://next-auth.js.org/errors#get_user_by_email_error
2020-07-08T08:04:11.396Z	1b350129-145e-4e5d-b81c-10917696e2e7	ERROR	Unhandled Promise Rejection 	{"errorType":"Runtime.UnhandledPromiseRejection","errorMessage":"Error: GET_USER_BY_EMAIL_ERROR","reason":{"errorType":"Error","errorMessage":"GET_USER_BY_EMAIL_ERROR","stack":["Error: GET_USER_BY_EMAIL_ERROR","    at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:188:35","    at Generator.next (<anonymous>)","    at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)","    at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)","    at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364","    at new Promise (<anonymous>)","    at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97","    at _getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:191:32)","    at getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:170:32)","    at /var/task/node_modules/next-auth/dist/server/routes/signin.js:67:28"]},"promise":{},"stack":["Runtime.UnhandledPromiseRejection: Error: GET_USER_BY_EMAIL_ERROR","    at process.<anonymous> (/var/runtime/index.js:35:15)","    at process.emit (events.js:322:22)","    at processPromiseRejections (internal/process/promises.js:209:33)","    at processTicksAndRejections (internal/process/task_queues.js:98:32)"]}
Unknown application error occurred

[GET] /api/auth/session
10:04:14:04
2020-07-08T08:04:14.762Z	32e93aae-087d-4a11-9ba0-7e33b7f1314b	ERROR	[next-auth][error][ADAPTER_CONNECTION_ERROR] [
  Error: self signed certificate in certificate chain
      at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
      at TLSSocket.emit (events.js:310:20)
      at TLSSocket._finishInit (_tls_wrap.js:917:8)
      at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12) {
    code: 'SELF_SIGNED_CERT_IN_CHAIN'
  }
] 
https://next-auth.js.org/errors#adapter_connection_error
2020-07-08T08:04:14.763Z	32e93aae-087d-4a11-9ba0-7e33b7f1314b	ERROR	[next-auth][error][GET_SESSION_ERROR] [
  TypeError: Cannot read property 'getRepository' of null
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:317:44
      at Generator.next (<anonymous>)
      at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)
      at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364
      at new Promise (<anonymous>)
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97
      at _getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:332:28)
      at getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:309:28)
      at /var/task/node_modules/next-auth/dist/server/routes/session.js:96:29
] 
https://next-auth.js.org/errors#get_session_error
2020-07-08T08:04:14.763Z	32e93aae-087d-4a11-9ba0-7e33b7f1314b	ERROR	[next-auth][error][SESSION_ERROR] [
  Error: GET_SESSION_ERROR
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:329:35
      at Generator.next (<anonymous>)
      at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)
      at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364
      at new Promise (<anonymous>)
      at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97
      at _getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:332:28)
      at getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:309:28)
      at /var/task/node_modules/next-auth/dist/server/routes/session.js:96:29
] 
https://next-auth.js.org/errors#session_error

@erhankaradeniz
Copy link
Author

erhankaradeniz commented Jul 8, 2020
edited
Loading

I managed to fix this issue by including a certificate for my connection. I'll place my config below so if people stumble on the same issue, they can see this as a reference. (maybe it's also an idea to add it to the documentation? Could make a PR for it.)

const dbConnection = {
  type: "postgres",
  host: process.env.DB_HOST,
  port: process.env.DB_PORT,
  username: process.env.DB_USER,
  password: process.env.DB_PWD,
  database: process.env.DB_DB,
  entityPrefix: "nextauth_",
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync(certFile).toString(),
  },
}

@iaincollins
Copy link
Member

Thank you this super interesting and I'm sure will be useful for other folks.

I agree, it would be great to add this to the documentation, I'm not sure there is a great place for it.

Feel free to leave this issue open till we find a home for it!

@LoriKarikari LoriKarikari added the docs Relates to documentation label Jul 20, 2020
@MilamBardo MilamBardo mentioned this issue Sep 8, 2020
Closed
@ghost
Copy link

ghost commented Nov 20, 2020

I managed to fix this issue by including a certificate for my connection. I'll place my config below so if people stumble on the same issue, they can see this as a reference. (maybe it's also an idea to add it to the documentation? Could make a PR for it.)

const dbConnection = {
  type: "postgres",
  host: process.env.DB_HOST,
  port: process.env.DB_PORT,
  username: process.env.DB_USER,
  password: process.env.DB_PWD,
  database: process.env.DB_DB,
  entityPrefix: "nextauth_",
  ssl: {
    rejectUnauthorized: false,
    ca: fs.readFileSync(certFile).toString(),
  },
}

Is that really including the cert? Or, are you turning off ssl with the line rejectUnauthorized: false?

https://devcenter.heroku.com/articles/heroku-postgresql#connecting-in-node-js

That article is EXTREMELY poorly written. The top of the article talks about how important it is to use SSL:

"Most clients will connect over SSL by default, but on occasion it is necessary to set the sslmode=require parameter on a Postgres connection. Please add this parameter in code rather than editing the config var directly. Please check you are enforcing use of SSL especially if you are using Java or Node.js clients."

But a plain English reading of rejectUnauthorized: false is "Do not reject unauthorized access." I can't make sense of it.

@erhankaradeniz
Copy link
Author

I managed to fix this issue by including a certificate for my connection. I'll place my config below so if people stumble on the same issue, they can see this as a reference. (maybe it's also an idea to add it to the documentation? Could make a PR for it.)

const dbConnection = {
  type: "postgres",
  host: process.env.DB_HOST,
  port: process.env.DB_PORT,
  username: process.env.DB_USER,
  password: process.env.DB_PWD,
  database: process.env.DB_DB,
  entityPrefix: "nextauth_",
  ssl: {
    rejectUnauthorized: false,
    ca: fs.readFileSync(certFile).toString(),
  },
}

Is that really including the cert? Or, are you turning off ssl with the line rejectUnauthorized: false?

https://devcenter.heroku.com/articles/heroku-postgresql#connecting-in-node-js

That article is EXTREMELY poorly written. The top of the article talks about how important it is to use SSL:

"Most clients will connect over SSL by default, but on occasion it is necessary to set the sslmode=require parameter on a Postgres connection. Please add this parameter in code rather than editing the config var directly. Please check you are enforcing use of SSL especially if you are using Java or Node.js clients."

But a plain English reading of rejectUnauthorized: false is "Do not reject unauthorized access." I can't make sense of it.

No it is including the certificate, you still have to generate one yourself and afterwards read it from the filesystem. But you are correct about the reject part, that should be true.. not sure why I left the false part in it. I will edit it in my original comment.

@ZelimDamian
Copy link

ZelimDamian commented Dec 7, 2020
edited
Loading

This may very well be a very insecure way of handling it, but for my test setup this works perfectly: adding ?ssl=no-verify to the connection string

pgRITA/node-pgrita#1 (comment)

@balazsorban44 balazsorban44 added the good first issue Good issue to take for first time contributors label Jan 21, 2021
@stale
Copy link

stale bot commented Mar 22, 2021

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks!

@stale stale bot added the stale Did not receive any activity for 60 days label Mar 22, 2021
@stale
Copy link

stale bot commented Mar 29, 2021

Hi there! It looks like this issue hasn't had any activity for a while. To keep things tidy, I am going to close this issue for now. If you think your issue is still relevant, just leave a comment and I will reopen it. (Read more at #912) Thanks!

@stale stale bot closed this as completed Mar 29, 2021
@phbetbeze
Copy link

As I had the issue where I was using Heroku's Postgre which somehow forces use to use SSL but has only a self-certification mechanism, this is what I came up with, using rejectaUnauthorized:false ... not very elegant but does the trick
hope it helps

database: {
    type: 'postgres',
    host: process.env.DATABASE_HOST,
    port: 5432,
    username: process.env.DATABASE_USER,
    password: process.env.DATABASE_PASSWORD,
    database: process.env.DATABASE_NAME,
    ssl: {
      rejectUnauthorized: false,
      requestCert: true,
      //ca: fs.readFileSync(certFile).toString(),
    },
  },

@pepsiamir
Copy link

This may very well be a very insecure way of handling it, but for my test setup this works perfectly: adding ?ssl=no-verify to the connection string

pgRITA/node-pgrita#1 (comment)

This works for me. thanks
I need this only in development mode because I use localhost:3000

@skeddles
Copy link

I too was trying to work locally and kept getting the error nextauth connection is insecure (try using sslmode=require) and was unable to sign in.

Adding just ssl: {rejectUnauthorized: false} fixed it.

The docs are still of no use.

@vlad1slove1
Copy link

Adding just ssl: {rejectUnauthorized: false} fixed it.

@skeddles thank you very much! Had a problem with postres db at vercel deployment. String: ssl: { rejectUnauthorized: false } helped me to solve problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Relates to documentation good first issue Good issue to take for first time contributors question Ask how to do something or how something works stale Did not receive any activity for 60 days
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@erhankaradeniz @iaincollins @ZelimDamian @skeddles @phbetbeze @LoriKarikari @balazsorban44 @pepsiamir @vlad1slove1