Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reload loop if databases uses a self-signed SSL certificate #639

Open
pk992 opened this issue Jul 30, 2021 · 1 comment
Open

Reload loop if databases uses a self-signed SSL certificate #639

pk992 opened this issue Jul 30, 2021 · 1 comment

Comments

@pk992
Copy link

pk992 commented Jul 30, 2021
edited

Describe the bug
In any hasura-backend-plus version released after v2.4.0, the container throws a warning if the PostgreSQL connection string uses sslmode=required and the used certificate on the database server is self-signed. This seems to prevent HBP from starting and results in a restart loop.

To Reproduce
Steps to reproduce the behavior:

  1. Setup a recent version of HBP and Hasura with any valid config (example below)
  2. Use a SSL connection string i.e. postgresql://user:[email protected]:25060/default?sslmode=require on a SSL enabled database
  3. Check the container logs

Expected behavior
HBP should start regardless of the warning.

Output

yarn run v1.22.5
$ node -r ./dist/start.js
Applying migrations
(node:27) UnhandledPromiseRejectionWarning: Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (_tls_wrap.js:1514:34)
    at TLSSocket.emit (events.js:375:28)
    at TLSSocket.emit (domain.js:470:12)
    at TLSSocket._finishInit (_tls_wrap.js:936:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:708:12)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:27) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:27) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Done in 2.36s.

Additional context
The managed database hosting I used in this case was at Digitalocean. They provide a certificate to download but it's not possible to use a non-SSL connection.

The docker-compose.yaml below setups Hasura, HBP and PostgreSQL with SSL (tested on a DO Hasura Droplet with Ubuntu 18.04)

version: '3.6'
services:
  postgres:
    image: postgres:12
    restart: always
    volumes:
    - db_data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: postgrespassword
    command: >
      -c ssl=on 
      -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
      -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    volumes:
    - './keys:/var/lib/postgresql'      
  graphql-engine:
    image: hasura/graphql-engine:v2.0.4
    depends_on:
    - "postgres"
    restart: always
    environment:
      HASURA_GRAPHQL_METADATA_DATABASE_URL: postgres://postgres:postgrespassword@postgres:5432/postgres?sslmode=require
      HASURA_GRAPHQL_ENABLE_CONSOLE: "true"
      HASURA_GRAPHQL_DEV_MODE: "true"
      HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
      HASURA_GRAPHQL_JWT_SECRET: >-
        {"type": "HS512", "key": "randomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandom"}      
    command:
    - graphql-engine
    - serve
  hasura-backend-plus:
    image: nhost/hasura-backend-plus:v2.7.1
    depends_on:
    - "graphql-engine"
    restart: always
    ports:
    - "4000:4000"
    environment:
      HOST: 0.0.0.0
      PORT: 4000
      DATABASE_URL: >-
        postgres://postgres:postgrespassword@postgres:5432/postgres?sslmode=require
      SERVER_URL: "http://localhost:4000"
      HASURA_ENDPOINT: "http://graphql-engine:8080/v1/graphql"
      HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
      JWT_ALGORITHM: HS512
      JWT_KEY: randomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandomRandom
      STORAGE_ENABLED: 'false'    
  caddy:
    image: caddy/caddy
    depends_on:
    - "graphql-engine"
    restart: always
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - ./Caddyfile:/etc/caddy/Caddyfile
    - caddy_certs:/root/.caddy
volumes:
  db_data:
  caddy_certs:
@makstr
Copy link

makstr commented Nov 8, 2021

Tryadding adding NODE_TLS_REJECT_UNAUTHORIZED: '0' to your hbp compose file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@makstr @pk992