Is it possible that the connection breaks when sslmode is set on "require" ?
I'm having trouble connecting to a postgres db where the sslmode is set to require
erhankaradeniz
All 8 comments
Hmm, I've not run into that using Postgres but I don't think I've explicitly tried it with that option.
This might be a problem with TypeORM.
Based on the comments in that thread, have you tried using ssl=true as the option if using a connection string?
If that doesn't work, to help replicate:
- Does it only cause issues when it is set and work otherwise?
- Does it show an error or just seem to stop working?
Any other info we can use to replicate (e.g. does it happen right away, or after it's been running a while, is this locally or in production or both) would be helpful.
iaincollins
on 7 Jul 2020
Hmm, I've not run into that using Postgres but I don't think I've explicitly tried it with that option.
This might be a problem with TypeORM.
Based on the comments in that thread, ave you tried using
ssl=trueas the option if using a connection string?If that doesn't work, to help replicate:
- Does it only cause issues when it is set and work otherwise?
- Does it show an error or just seem to stop working?
Any other info we can use to replicate (e.g. does it happen right away, or after it's been running a while, is this locally or in production or both) would be helpful.
Hmm haven't tried using ssl=true but I've tried sslmode="require" which was not working. I'll give it a try.
erhankaradeniz
on 7 Jul 2020
Hmm, I've not run into that using Postgres but I don't think I've explicitly tried it with that option.
This might be a problem with TypeORM.
Based on the comments in that thread, have you tried using
ssl=trueas the option if using a connection string?If that doesn't work, to help replicate:
- Does it only cause issues when it is set and work otherwise?
- Does it show an error or just seem to stop working?
Any other info we can use to replicate (e.g. does it happen right away, or after it's been running a while, is this locally or in production or both) would be helpful.
Setting ssl to true, doesn't seem to work.
When I view my vercel logs I have the following errors:
[POST] /api/auth/signin/email
10:04:10:70
2020-07-08T08:04:11.395Z 1b350129-145e-4e5d-b81c-10917696e2e7 ERROR [next-auth][error][ADAPTER_CONNECTION_ERROR] [
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
at TLSSocket.emit (events.js:310:20)
at TLSSocket._finishInit (_tls_wrap.js:917:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
]
https://next-auth.js.org/errors#adapter_connection_error
2020-07-08T08:04:11.395Z 1b350129-145e-4e5d-b81c-10917696e2e7 ERROR [next-auth][error][GET_USER_BY_EMAIL_ERROR] [
TypeError: Cannot read property 'getRepository' of null
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:182:31
at Generator.next (<anonymous>)
at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)
at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364
at new Promise (<anonymous>)
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97
at _getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:191:32)
at getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:170:32)
at /var/task/node_modules/next-auth/dist/server/routes/signin.js:67:28
]
https://next-auth.js.org/errors#get_user_by_email_error
2020-07-08T08:04:11.396Z 1b350129-145e-4e5d-b81c-10917696e2e7 ERROR Unhandled Promise Rejection {"errorType":"Runtime.UnhandledPromiseRejection","errorMessage":"Error: GET_USER_BY_EMAIL_ERROR","reason":{"errorType":"Error","errorMessage":"GET_USER_BY_EMAIL_ERROR","stack":["Error: GET_USER_BY_EMAIL_ERROR"," at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:188:35"," at Generator.next (<anonymous>)"," at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)"," at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)"," at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364"," at new Promise (<anonymous>)"," at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97"," at _getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:191:32)"," at getUserByEmail (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:170:32)"," at /var/task/node_modules/next-auth/dist/server/routes/signin.js:67:28"]},"promise":{},"stack":["Runtime.UnhandledPromiseRejection: Error: GET_USER_BY_EMAIL_ERROR"," at process.<anonymous> (/var/runtime/index.js:35:15)"," at process.emit (events.js:322:22)"," at processPromiseRejections (internal/process/promises.js:209:33)"," at processTicksAndRejections (internal/process/task_queues.js:98:32)"]}
Unknown application error occurred
[GET] /api/auth/session
10:04:14:04
2020-07-08T08:04:14.762Z 32e93aae-087d-4a11-9ba0-7e33b7f1314b ERROR [next-auth][error][ADAPTER_CONNECTION_ERROR] [
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
at TLSSocket.emit (events.js:310:20)
at TLSSocket._finishInit (_tls_wrap.js:917:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
]
https://next-auth.js.org/errors#adapter_connection_error
2020-07-08T08:04:14.763Z 32e93aae-087d-4a11-9ba0-7e33b7f1314b ERROR [next-auth][error][GET_SESSION_ERROR] [
TypeError: Cannot read property 'getRepository' of null
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:317:44
at Generator.next (<anonymous>)
at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)
at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364
at new Promise (<anonymous>)
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97
at _getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:332:28)
at getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:309:28)
at /var/task/node_modules/next-auth/dist/server/routes/session.js:96:29
]
https://next-auth.js.org/errors#get_session_error
2020-07-08T08:04:14.763Z 32e93aae-087d-4a11-9ba0-7e33b7f1314b ERROR [next-auth][error][SESSION_ERROR] [
Error: GET_SESSION_ERROR
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:329:35
at Generator.next (<anonymous>)
at asyncGeneratorStep (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:28:103)
at _next (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:194)
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:364
at new Promise (<anonymous>)
at /var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:30:97
at _getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:332:28)
at getSession (/var/task/node_modules/next-auth/dist/adapters/typeorm/index.js:309:28)
at /var/task/node_modules/next-auth/dist/server/routes/session.js:96:29
]
https://next-auth.js.org/errors#session_error
I managed to fix this issue by including a certificate for my connection. I'll place my config below so if people stumble on the same issue, they can see this as a reference. (maybe it's also an idea to add it to the documentation? Could make a PR for it.)
const dbConnection = {
type: "postgres",
host: process.env.DB_HOST,
port: process.env.DB_PORT,
username: process.env.DB_USER,
password: process.env.DB_PWD,
database: process.env.DB_DB,
entityPrefix: "nextauth_",
ssl: {
rejectUnauthorized: true,
ca: fs.readFileSync(certFile).toString(),
},
}
Thank you this super interesting and I'm sure will be useful for other folks.
I agree, it would be great to add this to the documentation, I'm not sure there is a great place for it.
Feel free to leave this issue open till we find a home for it!
iaincollins
on 8 Jul 2020
I managed to fix this issue by including a certificate for my connection. I'll place my config below so if people stumble on the same issue, they can see this as a reference. (maybe it's also an idea to add it to the documentation? Could make a PR for it.)
const dbConnection = { type: "postgres", host: process.env.DB_HOST, port: process.env.DB_PORT, username: process.env.DB_USER, password: process.env.DB_PWD, database: process.env.DB_DB, entityPrefix: "nextauth_", ssl: { rejectUnauthorized: false, ca: fs.readFileSync(certFile).toString(), }, }
Is that really including the cert? Or, are you turning off ssl with the line rejectUnauthorized: false?
https://devcenter.heroku.com/articles/heroku-postgresql#connecting-in-node-js
That article is EXTREMELY poorly written. The top of the article talks about how important it is to use SSL:
"Most clients will connect over SSL by default, but on occasion it is necessary to set the sslmode=require parameter on a Postgres connection. Please add this parameter in code rather than editing the config var directly. Please check you are enforcing use of SSL especially if you are using Java or Node.js clients."
But a plain English reading of rejectUnauthorized: false is "Do not reject unauthorized access." I can't make sense of it.
b-gibbs
on 20 Nov 2020
I managed to fix this issue by including a certificate for my connection. I'll place my config below so if people stumble on the same issue, they can see this as a reference. (maybe it's also an idea to add it to the documentation? Could make a PR for it.)
const dbConnection = { type: "postgres", host: process.env.DB_HOST, port: process.env.DB_PORT, username: process.env.DB_USER, password: process.env.DB_PWD, database: process.env.DB_DB, entityPrefix: "nextauth_", ssl: { rejectUnauthorized: false, ca: fs.readFileSync(certFile).toString(), }, }Is that really including the cert? Or, are you turning off ssl with the line
rejectUnauthorized: false?https://devcenter.heroku.com/articles/heroku-postgresql#connecting-in-node-js
That article is EXTREMELY poorly written. The top of the article talks about how important it is to use SSL:
"Most clients will connect over SSL by default, but on occasion it is necessary to set the sslmode=require parameter on a Postgres connection. Please add this parameter in code rather than editing the config var directly. Please check you are enforcing use of SSL especially if you are using Java or Node.js clients."
But a plain English reading of
rejectUnauthorized: falseis "Do not reject unauthorized access." I can't make sense of it.
No it is including the certificate, you still have to generate one yourself and afterwards read it from the filesystem. But you are correct about the reject part, that should be true.. not sure why I left the false part in it. I will edit it in my original comment.
erhankaradeniz
on 20 Nov 2020
This may very well be a very insecure way of handling it, but for my test setup this works perfectly: adding ?ssl=no-verify to the connection string
https://github.com/pgRITA/node-pgrita/issues/1#issue-734054474
ZelimDamian
on 7 Dec 2020
Related issues
jimmiejackson414
路
3Comments
simonbbyrne
路
3Comments
bscaspar
路
3Comments
SharadKumar
路
3Comments
alex-cory
路
3Comments