Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS connection failed with message: invalid peer certificate contents / PostgresError: no pg_hba.conf entry for host #356

Open
reggi opened this issue Aug 21, 2022 · 5 comments

Comments

@reggi
Copy link

reggi commented Aug 21, 2022

I just deployed to a deno project to deno deploy and got this message when I tried to run the insert.

I'm using heroku and they require SSL, from this old stackoverflow sequalize post I'm assuming I need to either 1) send the request using SSL 2) the reject the unauthorized call in deno? I'm not sure how to do either.

Here's the full message:

An error occurred during route handling or page rendering. PostgresError: no pg_hba.conf entry for host "███████", user "██████████", database "█████", no encryption
    at assertSuccessfulStartup (https://deno.land/x/[email protected]/connection/connection.ts:40:19)
    at Connection.#startup (https://deno.land/x/[email protected]/connection/connection.ts:252:13)
    at async Connection.startup (https://deno.land/x/[email protected]/connection/connection.ts:311:21)
    at async Client.connect (https://deno.land/x/[email protected]/client.ts:131:13)
    at async PostgresConnector._makeConnection (https://deno.land/x/[email protected]/lib/connectors/postgres-connector.ts:28:9)
    at async PostgresConnector.query (https://deno.land/x/[email protected]/lib/connectors/postgres-connector.ts:42:9)
    at async Database.query (https://deno.land/x/[email protected]/lib/database.ts:117:25)
    at async Function._runQuery (https://deno.land/x/[email protected]/lib/model.ts:78:25)
    at async Function.create (https://deno.land/x/[email protected]/lib/model.ts:212:25)
    at async endpoint (file:///src/calendar/denodb/endpoint.ts:6:5)
2022-08-21 07:51:25
TLS connection failed with message: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
Defaulting to non-encrypted connection

Any advice on how to fix? Does denodb have a useSSL option?

@reggi
Copy link
Author

reggi commented Aug 21, 2022

I added ?sslmode=require to the end of the connection uri and I'm getting a new error:

An error occurred during route handling or page rendering. Error: The certificate used to secure the TLS connection is invalid.
    at Connection.#startup (https://deno.land/x/[email protected]/connection/connection.ts:238:31)
    at async Connection.startup (https://deno.land/x/[email protected]/connection/connection.ts:311:21)
    at async Client.connect (https://deno.land/x/[email protected]/client.ts:131:13)
    at async PostgresConnector._makeConnection (https://deno.land/x/[email protected]/lib/connectors/postgres-connector.ts:28:9)
    at async PostgresConnector.query (https://deno.land/x/[email protected]/lib/connectors/postgres-connector.ts:42:9)
    at async Database.query (https://deno.land/x/[email protected]/lib/database.ts:117:25)
    at async Function._runQuery (https://deno.land/x/[email protected]/lib/model.ts:78:25)
    at async Function.create (https://deno.land/x/[email protected]/lib/model.ts:212:25)
    at async endpoint (file:///src/calendar/denodb/endpoint.ts:6:5)
    at async Object.handler (file:///src/calendar/denodb/fresh/api.ts:4:25)

@heqian
Copy link

heqian commented Dec 7, 2022

I encountered the same initial issue with my project:

Dec 5 10:35:00 PM  TLS connection failed with message: Bad resource ID
Dec 5 10:35:00 PM  Defaulting to non-encrypted connection
Dec 5 10:35:00 PM  PostgresError: SSL/TLS required
Dec 5 10:35:00 PM      at assertSuccessfulStartup (https://deno.land/x/[email protected]/connection/connection.ts:68:13)
Dec 5 10:35:00 PM      at Connection.#startup (https://deno.land/x/[email protected]/connection/connection.ts:350:7)
Dec 5 10:35:00 PM      at async Connection.startup (https://deno.land/x/[email protected]/connection/connection.ts:417:11)
Dec 5 10:35:00 PM      at async Connection.query (https://deno.land/x/[email protected]/connection/connection.ts:869:7)
Dec 5 10:35:00 PM      at async PostgresConnector.query (https://deno.land/x/[email protected]/lib/connectors/postgres-connector.ts:76:22)
Dec 5 10:35:00 PM      at async Database.query (https://deno.land/x/[email protected]/lib/database.ts:240:21)
Dec 5 10:35:00 PM      at async Function._runQuery (https://deno.land/x/[email protected]/lib/model.ts:228:21)
Dec 5 10:35:00 PM      at async Function.first (https://deno.land/x/[email protected]/lib/model.ts:550:21)

and same error after adding ?sslmode=require.

I'm using PostgreSQL 15. Maybe it is a compatibility issue?

@kaldaf
Copy link

kaldaf commented Feb 9, 2023

Any idea how to fix it? I get an error with ?sslmode=requireError: the certificate used to secure the TLS connection is invalid. and Sending fatal alert BadCertificate

  • deno 1.30.3 (release, x86_64-pc-windows-msvc)
  • v8 10.9.194.5
  • typescript 4.9.4

@pankgeorg
Copy link

pankgeorg commented Jan 7, 2024

Coming to this issue from googling Error: the certificate used to secure the TLS connection is invalid. and Sending fatal alert BadCertificate.

IT seems that deno doesn't load certificates correctly, or doesn't have the default debian certificates or something.

In deno-deploy, I solved this by adding an environment variable with the certificate found in /etc/postgresql/15/main/postgresql.conf: ssl_cert_file, which, in my case is cat /etc/ssl/certs/ssl-cert-snakeoil.pem. In deno, do:

const cert = Deno.env.get("CERTIFICATE")

and then to the client

const options = {
  database: "db",
  hostname: "myhost",
  password: Deno.env.get("POSTGRES_PASSWORD"),
  port: 5432,
  user: "deno",
  tls: {
    caCertificates: [
      certificate,
    ],
    enabled: false,
  },
}
const pool = new Pool(options, 5, true);

this should work!

@jeremyjh
Copy link

OP is using Heroku, which uses self-signed certificates by default. They do have a feature for CA-signed certificates in preview. https://devcenter.heroku.com/articles/heroku-postgres-enhanced-certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants