Node-postgres: Unable to connect through SSL

Created on 24 Apr 2020 · 3Comments · Source: brianc/node-postgres

I'm using "pg": "^8.0.3" with nestjs and TypeOrm to connect to a PostgreSQL database hosted on Google Cloud.

I have the following configuration for the db connection.

TypeOrmCoreModule.forRootAsync({
      useFactory: (configService: AppConfigService) => ({
        type: 'postgres',
        host: configService.dbHost,
        port: configService.dbPort,
        username: configService.dbUser,
        password: configService.dbPassword,
        database: configService.dbName,
        schema: configService.dbSchema,
        entities: [`${__dirname}/**/*.entity{.ts,.js}`],
        autoLoadEntities: true,
        synchronize: configService.dbSync,
        ssl: {
          // rejectUnauthorized: false,
          ca: configService.dbServerCA,    // downloaded from  GCC
          cert: configService.dbClientCert, // downloaded from  GCC
          key: configService.dbClientKey,  // downloaded from  GCC
          enableTrace: true,
        },
      }),
      imports: [ConfigurationModule],
      inject: [AppConfigService],
    }),

When I start my application I receive the error following message:

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: **********

What I've read/and tested is that I should use rejectUnauthorized: false, but doing this I give up on security features. Am I missing something with regards to configuration options, that should allow me to use SSL without rejectUnauthorized: false?

Source

gpanainte

Most helpful comment

Based on this: https://nodejs.org/api/tls.html#tls_tls_connect_options_callback you could try to implement the checkServerIdentity function in the ssl config options:

        ssl: {
          checkServerIdentity: () => {},

          // rejectUnauthorized: false,
          ca: configService.dbServerCA,    // downloaded from  GCC
          cert: configService.dbClientCert, // downloaded from  GCC
          key: configService.dbClientKey,  // downloaded from  GCC
          enableTrace: true,
        },

I think, the certificate is still validated, only the server name check is skipped.

boromisp on 24 Apr 2020

👍4

All 3 comments

Based on this: https://nodejs.org/api/tls.html#tls_tls_connect_options_callback you could try to implement the checkServerIdentity function in the ssl config options:

        ssl: {
          checkServerIdentity: () => {},

          // rejectUnauthorized: false,
          ca: configService.dbServerCA,    // downloaded from  GCC
          cert: configService.dbClientCert, // downloaded from  GCC
          key: configService.dbClientKey,  // downloaded from  GCC
          enableTrace: true,
        },

I think, the certificate is still validated, only the server name check is skipped.

boromisp on 24 Apr 2020

👍4

Thank you @boromisp for your quick response, I have implemented this function and now it works. I've read about checkServerIdentity but it is not exposed in PostgresConnectionCredentialsOptions interface, and I was not sure that it would be taken into consideration. But I think this is a TypeOrm issue.

gpanainte on 24 Apr 2020

Depending on how Google Cloud’s CAs work, it might be important to check the name, though. brianc/node-postgres-docs#79 suggests that there is a name to check, and provides the way to do it.