Getting rid of PostgreSQL SSL certificate errors

My version of HedgeDoc is: 1.8.2 (running in Docker using the image quay.io/hedgedoc/hedgedoc:1.8.2)

What I expected to happen:

HedgeDoc connects to the PostgreSQL database.

What actually happened:

It doesn’t, and it complains about a self-signed certificate:

2021/09/14 11:59:11 Waiting for: tcp://my.databa.se:2345
2021/09/14 11:59:11 Connected to tcp://my.databa.se:2345
> HedgeDoc@1.8.2 start
> node app.js
(node:38) [DEP0152] DeprecationWarning: Custom PerformanceEntry accessors are deprecated. Please use the detail property.
(Use `node --trace-deprecation ...` to show where the warning was created)
Unhandled rejection SequelizeConnectionError: self signed certificate in certificate chain
    at Client._connectionCallback (/hedgedoc/node_modules/sequelize/lib/dialects/postgres/connection-manager.js:182:24)
    at Client._handleErrorWhileConnecting (/hedgedoc/node_modules/pg/lib/client.js:305:19)
    at Client._handleErrorEvent (/hedgedoc/node_modules/pg/lib/client.js:315:19)
    at Connection.emit (node:events:394:28)
    at TLSSocket.reportStreamError (/hedgedoc/node_modules/pg/lib/connection.js:52:12)
    at TLSSocket.emit (node:events:394:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

I already tried:

Update my config.json with this:

{
  "db": {
    "dialectOptions": {
      "ssl": {
        "require": true,
        "rejectUnauthorized": false
      }
    }
  },
  "some_other": "keys"
}

Please note that turning off SSL in my case is not an option as my provider (DigitalOcean managed database) doesn’t allow it. I have a CA certificate file, and tried to add it to my config file like this, but to no avail:

{
  "db": {
    "dialectOptions": {
      "ssl": {
        "ca": "----- BEGIN CERTIFICATE -----\n…"
      }
    }
  }
}

Hey,

Luckily a few weeks ago when I tested migrating the demo instance and ither services to Kubernetes I hit a similar situation. I solved it by adding the certificate to the general CA bundle of NodeJS like this:

https://git.shivering-isles.com/hedgedoc/helm-chart/-/blob/181ae36dee1c8da393dcf8e8af0a7a6818251b5b/templates/deployment.yaml#L39-40

The CA certificate itself is mounted at /ca/service-ca.crt.

The config.json should look the same as yours.

Disclaimer: The helm chart is still in a PoC phase, so if you look for one, this is nothing official.

1 Like