Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect through SSL #2178

Closed
gpanainte opened this issue Apr 24, 2020 · 3 comments
Closed

Unable to connect through SSL #2178

gpanainte opened this issue Apr 24, 2020 · 3 comments

Comments

@gpanainte
Copy link

I'm using "pg": "^8.0.3" with nestjs and TypeOrm to connect to a PostgreSQL database hosted on Google Cloud.

I have the following configuration for the db connection.

TypeOrmCoreModule.forRootAsync({
      useFactory: (configService: AppConfigService) => ({
        type: 'postgres',
        host: configService.dbHost,
        port: configService.dbPort,
        username: configService.dbUser,
        password: configService.dbPassword,
        database: configService.dbName,
        schema: configService.dbSchema,
        entities: [`${__dirname}/**/*.entity{.ts,.js}`],
        autoLoadEntities: true,
        synchronize: configService.dbSync,
        ssl: {
          // rejectUnauthorized: false,
          ca: configService.dbServerCA,    // downloaded from  GCC
          cert: configService.dbClientCert, // downloaded from  GCC
          key: configService.dbClientKey,  // downloaded from  GCC
          enableTrace: true,
        },
      }),
      imports: [ConfigurationModule],
      inject: [AppConfigService],
    }),

When I start my application I receive the error following message:

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: **********

What I've read/and tested is that I should use rejectUnauthorized: false, but doing this I give up on security features. Am I missing something with regards to configuration options, that should allow me to use SSL without rejectUnauthorized: false?
@boromisp
Copy link
Contributor

Based on this: https://nodejs.org/api/tls.html#tls_tls_connect_options_callback you could try to implement the checkServerIdentity function in the ssl config options:

        ssl: {
          checkServerIdentity: () => {},

          // rejectUnauthorized: false,
          ca: configService.dbServerCA,    // downloaded from  GCC
          cert: configService.dbClientCert, // downloaded from  GCC
          key: configService.dbClientKey,  // downloaded from  GCC
          enableTrace: true,
        },

I think, the certificate is still validated, only the server name check is skipped.

@gpanainte
Copy link
Author

Thank you @boromisp for your quick response, I have implemented this function and now it works. I've read about checkServerIdentity but it is not exposed in PostgresConnectionCredentialsOptions interface, and I was not sure that it would be taken into consideration. But I think this is a TypeOrm issue.

@RazerM RazerM mentioned this issue Jul 2, 2020
Open
@charmander
Copy link
Collaborator

Depending on how Google Cloud’s CAs work, it might be important to check the name, though. brianc/node-postgres-docs#79 suggests that there is a name to check, and provides the way to do it.

@owlas owlas mentioned this issue Jan 5, 2022
Closed
@mjyoung mjyoung mentioned this issue Dec 6, 2022
Open
@gongshishao gongshishao mentioned this issue Jun 16, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@charmander @boromisp @gpanainte