The Wayback Machine - https://web.archive.org/web/20220402195514/https://github.com/brianc/node-postgres/pull/2517
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to pass certs when PG environment variable PGSSLMODE=require/verify-ca/verify-full #2517

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow users to pass certs when PG environment variable PGSSLMODE=require/verify-ca/verify-full #2517

wants to merge 1 commit into from

Conversation

RichardJCai
Copy link

@RichardJCai RichardJCai commented Apr 10, 2021

Previously if readSSLConfigFromEnvironment was used to generate the SSL config, the ssl object would not be created to create certs.

I ran into this issue when trying to execute yarn tests to a secure cluster (SSLMODE=require), certs would never be read even when I specified PGSSLCERT, PGSSLKEY, PGSSLROOTCERT.

This fix allows the user to pass in certs through PG env variables.

I'm not great with JS so apologies in advance

Why this is necessary.

To highlight this issue in a simple case

Running the script I attached below through PGSSLMODE=require PGSSLCERT=/home/ubuntu/certs/client.testuser.crt PGSSLROOTCERT=/home/ubuntu/certs/ca.crt PGSSLKEY=/home/ubuntu/certs/client.testuser.key PGHOST=localhost PGPORT=26257 PGUSER=root node test.js results in the following error:

const {Client, Pool} = require("./packages/pg")

const client = new Client()
client.connect(err => {
if (err) {
    console.error('error connecting', err.stack)
} else {
    console.log('connected')
    client.end()
}
})

const pool = new Pool()
pool
.connect()
.then(client => {
    console.log('connected')
    client.release()
})
.catch(err => console.error('error connecting', err.stack))
.then(() => pool.end())

error connecting Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
error connecting Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)

This is because the ssl field in ConnectionParameters is simply set to true and the certs fields are not populated

ConnectionParameters {
  user: 'root',
  database: 'root',
  port: 26257,
  host: 'localhost',
  binary: false,
  options: undefined,
  ssl: true,
  client_encoding: '',
  replication: undefined,
  isDomainSocket: false,
  application_name: undefined,
  fallback_application_name: undefined,
  statement_timeout: false,
  idle_in_transaction_session_timeout: false,
  query_timeout: false,
  connect_timeout: 0
}

charmander
charmander requested changes Apr 10, 2021
View changes
Copy link
Collaborator

@charmander charmander left a comment

They shouldn’t be required, just supported.

@RichardJCai
Copy link
Author

@RichardJCai RichardJCai commented Apr 10, 2021

They shouldn’t be required, just supported.

Gotcha, thought erroring would be better since if certs aren't passed in with the SSLMODEs then they won't be able to connect and getting a somewhat vague

error connecting Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
error connecting Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)

is confusing since theres actually no certs to update. As far as I can tell, certs won't be populated anywhere when readSSLConfigFromEnvironment is called.

Do you think logging a warning is appropriate? It certainly would've helped me out.

@RichardJCai RichardJCai requested a review from charmander Apr 12, 2021
@RichardJCai RichardJCai force-pushed the allowing_passing_certs_through_pg_env branch from 29e0be5 to e0af654 Compare Apr 19, 2021
@RichardJCai
Copy link
Author

@RichardJCai RichardJCai commented Apr 19, 2021

Updated so that it'll return an object with the cert properties.

Please let me know if this is reasonable, mostly the part about returning undefined if the environment variable is not present for the certs.

@RichardJCai RichardJCai changed the title Require users to pass certs when PG environment variable PGSSLMODE=require/verify-ca/verify-full Allow users to pass certs when PG environment variable PGSSLMODE=require/verify-ca/verify-full Apr 19, 2021
@dyllandry
Copy link

@dyllandry dyllandry commented Nov 25, 2021

I just tried passing a cert via env var PGSSLROOTCERT and it doesn't work. From reading the node-postgres docs it seems like it should.

node-postgres uses the same environment variables as libpq to connect to a PostgreSQL server.

@rafiss rafiss mentioned this pull request Mar 19, 2022
Open
@rafiss rafiss force-pushed the allowing_passing_certs_through_pg_env branch 2 times, most recently from 889bb42 to 6b736e5 Compare Mar 25, 2022
@RichardJCai @rafiss
Allow users to pass certs with PG environment variables
7b1c4b1 
If PGSSLMODE is specified and is either require, verify-ca or verify-full,
then the PGSSLROOTCERT, PGSSLCERT, and PGSSLKEY environment variables
will be checked for certificate paths and used to connect.

This also includes a fix to CI to stop getting the following error:
```
yarn install v1.22.17
[1/4] Resolving packages...
[2/4] Fetching packages...
error Command failed.
Exit code: 128
Command: git
Arguments: ls-remote --tags --heads git://github.com/BonsaiDen/Fomatto.git
Directory: /home/runner/work/node-postgres/node-postgres
Output:
fatal: remote error:
  The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
```
@rafiss rafiss force-pushed the allowing_passing_certs_through_pg_env branch from 6b736e5 to 7b1c4b1 Compare Mar 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charmander charmander

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@RichardJCai @dyllandry @charmander