Node-postgres: Support for client certificates

Anything you pass to the config options under the ssl option is passed directly to node:

var config = {
  user: 'brian',
  password: 'i like beans',
  ssl: {
  //all the stuff in this object gets passed STRAIGHT INTO the node tls socket
  }
};

pg.connect(config, function(err, client, done) {
...
});

Does that help?

Yes, thank you!

Here is some sample code for the config:

var config = {
  host: host,
  port: port,
  database: database,
  user: user,
  password: password,
  ssl: {
    sslrootcert: "/path/to/root.crt",
    sslcert: "/path/to/postgresql.crt",
    sslkey: "/path/to/postgresql.key",       <-- Make sure this is chmod 600
    sslmode: "require"
  }
};

I'm getting an error that I'm not supplying a valid client certificate. I can connect from the same machine as the same user with the same connection parameters with psql. In looking at the logs, it looks like with psql the ssl connection is getting picked up as being from "postgres" but inside my app it's getting picked up as being from "(anonymous)" which I think is bonking because my certificate was configured with cn=postgres. Any suggestions on how to track down?

Hi, I was just looking at the code, looks like those args might be incorrect:

https://github.com/brianc/node-postgres/blob/6fddc566f09cf6b5919638a6f69c251e20437b75/lib/connection.js#L79

It appears that the following parameters are passed through:

ssl: {
      rejectUnauthorized,
      ca,
      pfx,
      key,
      passphrase,
      cert,
     NPNProtocols
}

Is this still an issue? Also looking to use certs as well

Yeah, this isn't working for me either. I can connect just fine via psql, and got it to actually initiate a connection by setting sslmode: "require". The cn issue that @CalebEverett had mentioned was resolved by setting sslmode as well. But postgres complains that a valid client certificate is required. Clearly not an issue with postgres config as psql works like a charm with the same settings. I've no problems doing some work to get it going, I'd even be willing to write a patch if I could find where the issue is at. Any ideas?

@jlamendo I was trying to get TLS working for pg as well (via knex), and it looks like this works for me:

  const config = {
    host: hostname,
    port: port,
    user: username,
    database: dbname,
    ssl: {
      cert: fs.readFileSync("path/to/tls.crt"),
      key: fs.readFileSync("path/to/tls.key")
    }
  }

@bennettrogers: thanks, I was also struggling with this.

I'm still wondering how one can verify the server certificate. I've tried setting ca and process.env.PGSSLMODE = "verify-full" but it does not seem to have any effect and any server certificate is accepted it seems.

@silverwind I have been working with configuring SSL recently too. So far, I have found that setting the PG* environment variables and passing an ssl config object do not work together. In your situation, where you want verify-full, I believe you can pass in:

ssl: {
  ca: fs.readFileSync(path-to-ca-certificate),
  rejectUnauthorized: true
}