LB4 with Loopback-connector-postgresql@5.3.0 causing SSL Error
KevinChengYang opened this issue · 4 comments
I kept getting the same error in LB4 even using the right syntax below and right version of loopback-connector-postgresql@5.3.0 after I deploy it to IBM Cloud Kubenetes, it runs without any issues on my local.
import {BootMixin} from '@loopback/boot';
import {ApplicationConfig} from '@loopback/core';
import {RepositoryMixin} from '@loopback/repository';
import {RestApplication} from '@loopback/rest';
import {
RestExplorerBindings,
RestExplorerComponent
} from '@loopback/rest-explorer';
import {ServiceMixin} from '@loopback/service-proxy';
import fs from 'fs';
import path from 'path';
import {ProductSelectionDataSource} from './datasources';
import {MySequence} from './sequence';
export {ApplicationConfig};
export class ProductSelectionApplication extends BootMixin(
ServiceMixin(RepositoryMixin(RestApplication)),
) {
constructor(options: ApplicationConfig = {}) {
super(options);
//process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
console.log("__dirname: " + __dirname);
console.log("*********************************************************************************");
const crtpath = path.join(__dirname, '../private/ca.crt');
console.log("crtpath:" + crtpath);
console.log("content of crt: " + fs.readFileSync(crtpath).toString());
console.log("*********************************************************************************");
const keypath = path.join(__dirname, '../private/ca.key');
console.log("keypath:" + keypath);
console.log("content of key: " + fs.readFileSync(keypath).toString());
console.log("*********************************************************************************");
var dbcert = process.env.DB_CERT;
let dbCert = Buffer.from(`{dbcert}`, 'base64');
console.log("content of dbcert: " + dbCert);
console.log("*********************************************************************************");
this.bind('datasources.config.productSelection').to({
name: 'dbname',
connector: 'postgresql',
url: process.env.DB_CONNECTION_STRING,
ssl: {
ca: fs.readFileSync(crtpath).toString(),
key: fs.readFileSync(keypath).toString(),
cert: dbCert,
rejectUnauthorized: false,
},
});
this.bind('datasources.productSelection').toClass(ProductSelectionDataSource);
// Set up the custom sequence
this.sequence(MySequence);
// Set up default home page
this.static('/', path.join(__dirname, '../public'));
// Customize @loopback/rest-explorer configuration here
this.configure(RestExplorerBindings.COMPONENT).to({
path: '/explorer',
});
this.component(RestExplorerComponent);
this.projectRoot = __dirname;
// Customize @loopback/boot Booter Conventions here
this.bootOptions = {
controllers: {
// Customize ControllerBooter Conventions here
dirs: ['controllers'],
extensions: ['.controller.js'],
nested: true,
},
};
}
}
The error I got:
Node ENV: dev
Server is running at http://127.0.0.1:3000
Try http://127.0.0.1:3000/ping
Connection fails: Error: self signed certificate in certificate chain
It will be retried for the next request.
_tls_wrap.js:1497
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:932:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
at TLSWrap.callbackTrampoline (internal/async_hooks.js:131:14)
I tried to use old version of loopback-connector-postgresql@3.9.1 but it seems the latest version of LB4 doesn't like it. the LB4 version list below:
$ lb4 -v
@loopback/cli version: 2.20.0
@loopback/* dependencies:
- @loopback/authentication: ^7.1.0
- @loopback/boot: ^3.3.0
- @loopback/build: ^6.3.0
- @loopback/context: ^3.15.0
- @loopback/core: ^2.15.0
- @loopback/metadata: ^3.2.0
- @loopback/openapi-spec-builder: ^3.1.0
- @loopback/openapi-v3: ^5.2.0
- @loopback/repository-json-schema: ^3.3.0
- @loopback/repository: ^3.5.0
- @loopback/rest: ^9.2.0
- @loopback/testlab: ^3.3.0
- @loopback/docs: ^3.23.0
- @loopback/example-hello-world: ^2.2.0
- @loopback/example-log-extension: ^2.2.0
- @loopback/example-rpc-server: ^2.2.0
- @loopback/example-todo: ^3.10.0
- @loopback/example-soap-calculator: ^2.5.0
- @loopback/service-proxy: ^3.1.0
- @loopback/http-caching-proxy: ^2.2.0
- @loopback/http-server: ^2.4.0
- @loopback/example-todo-list: ^3.8.0
- @loopback/dist-util: ^0.4.0
- @loopback/rest-explorer: ^3.2.0
- @loopback/eslint-config: ^10.1.0
- @loopback/example-express-composition: ^2.6.0
- @loopback/example-greeter-extension: ^2.2.0
- @loopback/booter-lb3app: ^2.3.0
- @loopback/example-lb3-application: ^2.6.0
- @loopback/example-greeting-app: ^2.3.0
- @loopback/example-context: ^2.2.0
- @loopback/repository-tests: ^0.17.0
- @loopback/health: ^0.7.0
- @loopback/authorization: ^0.8.0
- @loopback/rest-crud: ^0.9.0
- @loopback/security: ^0.4.0
- @loopback/authentication-passport: ^3.1.0
- @loopback/example-metrics-prometheus: ^0.5.0
- @loopback/metrics: ^0.7.0
- @loopback/model-api-builder: ^2.2.0
- @loopback/logging: ^0.5.0
- @loopback/example-access-control-migration: ^2.4.0
- @loopback/example-file-transfer: ^1.6.0
- @loopback/example-rest-crud: ^1.8.0
- @loopback/apiconnect: ^0.6.0
- @loopback/example-validation-app: ^1.9.0
- @loopback/cron: ^0.4.0
- @loopback/example-multi-tenancy: ^0.8.0
- @loopback/example-passport-login: ^1.10.0
- @loopback/authentication-jwt: ^0.8.0
- @loopback/context-explorer: ^0.4.0
- @loopback/express: ^3.2.0
- @loopback/example-todo-jwt: ^1.5.0
- @loopback/mock-oauth2-provider: ^0.2.0
- @loopback/pooling: ^0.4.0
- @loopback/typeorm: ^0.3.0
- @loopback/example-graphql: ^0.2.0
- @loopback/graphql: ^0.3.0
- @loopback/filter: ^1.4.0
- @loopback/rest-msgpack: ^0.4.0
- @loopback/example-binding-resolution: ^0.2.0
- @loopback/example-webpack: ^0.3.0
- @loopback/example-socketio: ^0.2.0
- @loopback/socketio: ^0.2.0
- @loopback/monorepo: ^0.2.0
- @loopback/tsdocs: ^2.5.0
Please advise and thank you so much.
Cross posting the answer from @raymondfeng on Slack: https://loopbackio.slack.com/archives/C01177XQN8N/p1617727228152000.
For TLS self-signed, there should be a connector setting that you can set to skip that
Check the pg npm package to find out what option to set
We pass connector settings to the underlying driver
@KevinChengYang, are you good with closing this issue? Thanks.
Hi Diana,
Disable TLS warning will compromise the security of this service, I can do that for dev environment, but it's absolutely not acceptable for Production environment.
(node:1) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
This defect need to be fixed as soon as possible.
Thank you.
Hi Diana,
I am experiencing the same issue as Kevin. Do you have an ETA when this issue will be fixed?
Thank you.