You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Idk if this is proper place to discuss this, so if not, please let me know where can I put this. Thanks.
After struggling quite a bit with setting up GCP Cloud SQL connection with required client SSL certificate, I'm here to propose documentation update or even env var name change if possible.
# Database
DB_PORT=5432 # Database port (optional)
DB_LOGGING=false # Database logging (optional)
DB_SYNCHRONIZE=false # Enable automatic model synchronization (optional)
DB_MIGRATE=true # Enable database migration (optional)
DB_REJECT_UNAUTHORIZED=true # Reject unauthorized access for the database. Acts as an SSL bypass. (optional)
DB_SSL_DISABLED=false # Disable database SSL
DB_SSL_CA= # Database SSL Certificate Authority (CA) - base64 encoded. Use https://gorules.io/tools/base64-certificate to encode your certificate
DB_SSL_CERT= # Database SSL Certificate
DB_SSL_KEY= # Database SSL Key
DB_SSL_ADVANCED= # Advanced SSL Settings provided in JSON. Overrides all DB SSL settings. See https://microsoft.github.io/PowerBI- JavaScript/interfaces/_node_modules__types_node_tls_d_._tls_.tlsoptions.html for more details
It almost worked but I was struggling with fixing this issue:
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS: xxxxx.europe-west1.sql.goog
at Object.checkServerIdentity (node:tls:386:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1689:27)
at TLSSocket.emit (node:events:518:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at ssl.onhandshakedone (node:_tls_wrap:864:12)
When using private SQL instance, accessible only by internal IP address inside vpc, node use localhost as hostname (I may be wrong here) when validating server cert. SQL instance cert is using some internal hostnames which generates this mismatch issue. Since sql instance is internal and only accessible from within GCP VPC network, I wanted to disable this check. However, I could not find any obvious setting to do this.
I've noticed that there is DB_SSL_ADVANCED that possibly could contain this setting. But documentation points to non existing (404) url https://microsoft.github.io/PowerBI. I've also tried to just google this PowerBI or node_modules__types_node_tls_d_._tls_.tlsoptions.html but found nothing useful.
Since this tool is using nodejs, I've looked at node ssl support docs and found an option rejectUnauthorized. This was oddly similar to DB_REJECT_UNAUTHORIZED so I've set this env var to false and it finally started to work.
My proposal:
Fix url to advanced ssl options
If possible then change DB_REJECT_UNAUTHORIZED to something like DB_SSL_VERIFYHOST which should be more descriptive
If not possible to change this env var, then please update documentation to explain this option better. Something that clearly states it is for verifying DB host certs. Maybe Enable host ssl cert verification?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hello.
Idk if this is proper place to discuss this, so if not, please let me know where can I put this. Thanks.
After struggling quite a bit with setting up GCP Cloud SQL connection with required client SSL certificate, I'm here to propose documentation update or even env var name change if possible.
Docs describe db settings like this:
It almost worked but I was struggling with fixing this issue:
When using private SQL instance, accessible only by internal IP address inside vpc, node use
localhostas hostname (I may be wrong here) when validating server cert. SQL instance cert is using some internal hostnames which generates this mismatch issue. Since sql instance is internal and only accessible from within GCP VPC network, I wanted to disable this check. However, I could not find any obvious setting to do this.I've noticed that there is
DB_SSL_ADVANCEDthat possibly could contain this setting. But documentation points to non existing (404) urlhttps://microsoft.github.io/PowerBI. I've also tried to just google this PowerBI ornode_modules__types_node_tls_d_._tls_.tlsoptions.htmlbut found nothing useful.Since this tool is using nodejs, I've looked at node ssl support docs and found an option
rejectUnauthorized. This was oddly similar toDB_REJECT_UNAUTHORIZEDso I've set this env var tofalseand it finally started to work.My proposal:
DB_REJECT_UNAUTHORIZEDto something likeDB_SSL_VERIFYHOSTwhich should be more descriptiveEnable host ssl cert verification?What do you think about this?
Beta Was this translation helpful? Give feedback.
All reactions