Error: self signed certificate in certificate chain

Hello, I am a new user of drizzle and trying to run the command for the first time:
drizzle-kit introspect:pg
drizzle-kit introspect:pg
But I got this error
[⣟] 0 tables fetching
[⣟] 0 columns fetching
[⣟] 0 enums fetching
[⣟] 0 indexes fetching
[⣟] 0 foreign keys fetching
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
[⣟] 0 tables fetching
[⣟] 0 columns fetching
[⣟] 0 enums fetching
[⣟] 0 indexes fetching
[⣟] 0 foreign keys fetching
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
I am connecting drizzle to my Supabase instance, and my config file is like this
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema.ts",
driver: "pg",
out: "./drizzle",
dbCredentials: {
host: process.env.host,
port: 5432,
user: "postgres",
password: process.env.password,
database: "postgres",
ssl: true,
},
} satisfies Config;
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema.ts",
driver: "pg",
out: "./drizzle",
dbCredentials: {
host: process.env.host,
port: 5432,
user: "postgres",
password: process.env.password,
database: "postgres",
ssl: true,
},
} satisfies Config;
I have already enabled ssl, why does this happen and how to resolve this?
21 Replies
phoenisx
phoenisx16mo ago
Related to https://github.com/drizzle-team/drizzle-orm/issues/831#issue-1781522128 Even I am trying to find how to connect to Remote Postgres (Encrypted), from localhost using Drizzle
GitHub
[BUG]: dbCredentials.ssl is not working while introspecting · Iss...
What version of drizzle-orm are you using? 0.27.0 What version of drizzle-kit are you using? 0.19.2 Describe the Bug The ssl option is not working while running introspect, // drizzle.config.ts exp...
laubonghaudoi
laubonghaudoiOP16mo ago
So it’s not a drizzle problem?
archer
archer16mo ago
Also having this issue...
rphlmr ⚡
rphlmr ⚡16mo ago
Hello I'm a Supabase user too
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema/*",
out: "./drizzle",
driver: 'pg',
dbCredentials: {
connectionString: "postgresql://postgres:[email protected]:5432/postgres",
}
} satisfies Config;
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema/*",
out: "./drizzle",
driver: 'pg',
dbCredentials: {
connectionString: "postgresql://postgres:[email protected]:5432/postgres",
}
} satisfies Config;
Works great. Any reason you don't use the connection string?
laubonghaudoi
laubonghaudoiOP16mo ago
I tried using connection string too but it asks for SSL. I guess your supabase db doesnt require SSL connection?
rphlmr ⚡
rphlmr ⚡16mo ago
Will see asap, it is not a fresh db, maybe something in my config 🤔
rphlmr ⚡
rphlmr ⚡16mo ago
No description
rphlmr ⚡
rphlmr ⚡16mo ago
true, it is disabled on my project
laubonghaudoi
laubonghaudoiOP15mo ago
So it doesnt require you to connect with SSL?
rphlmr ⚡
rphlmr ⚡15mo ago
Nope, no need.
laubonghaudoi
laubonghaudoiOP15mo ago
So connection string doesnt work for me either, even after I turned off SSL. I got the same error.
rphlmr ⚡
rphlmr ⚡15mo ago
maybe try to restart your db (from supabase dashboard). I know support is really fast qnd helpful if you still encounter this issue.
laubonghaudoi
laubonghaudoiOP15mo ago
I have tried restarting the db, how to get their support? I thought the discord channel here is the support
rphlmr ⚡
rphlmr ⚡15mo ago
I mean Supabase support. Maybe they can help you looking at your project configuration.
pandareaper
pandareaper15mo ago
I've never used supabase, but a quick google told me it is possible to disable SSL enforcement in your database through the CLI Ideally you use SSL, to do so you would download the root certificate for your database following these instructions https://supabase.com/docs/guides/database/connecting-to-postgres#connecting-with-ssl You then need to configure nodejs to either pick up that root certificate, or configure your connection to pick it up. Last I checked, drizzle-kit doesn't support that You can either configure a path for nodejs to look for extra certificates to use for SSL verification https://nodejs.org/api/cli.html#node_extra_ca_certsfile Or configure it on your database connection (the preferred approach)
return postgres({
database: config.DB_NAME,
user: config.DB_USER,
password: config.DB_PASSWORD,
host: config.DB_HOST,
port: config.DB_PORT,
max: config.DB_POOL_SIZE,
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
})
return postgres({
database: config.DB_NAME,
user: config.DB_USER,
password: config.DB_PASSWORD,
host: config.DB_HOST,
port: config.DB_PORT,
max: config.DB_POOL_SIZE,
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
})
Connecting to your database | Supabase Docs
Explore the options for connecting to your Postgres database.
laubonghaudoi
laubonghaudoiOP15mo ago
Thanks for your detailed info! Can you elaborate on this part
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
Because in the drizzle kit type definition, ssl only accepts a boolean value. How can you pass a string to a boolean field?
No description
rphlmr ⚡
rphlmr ⚡15mo ago
I think it is not possible right now. I have tested too, enabling ssl: same issue. Disabling SSL on supabase dashboard and drizzle kit works again.
No description
rphlmr ⚡
rphlmr ⚡15mo ago
To track this I have created an issue on drizzle-kit: https://github.com/drizzle-team/drizzle-kit-mirror/issues/157
Andrii Sherman
Andrii Sherman15mo ago
Taking that and related issue as well
quitelistener
quitelistener15mo ago
i think drizzle accepts ssl as tls object. I set to false for testing.
import { pgTable, serial, text, varchar } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { Client } from "pg";


const client = new Client({
host: "...",
port: 5432,
user: "postgres",
password: ".....",
database: "postgres",
ssl: {
rejectUnauthorized: false,
},
}
);
import { pgTable, serial, text, varchar } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { Client } from "pg";


const client = new Client({
host: "...",
port: 5432,
user: "postgres",
password: ".....",
database: "postgres",
ssl: {
rejectUnauthorized: false,
},
}
);
I was able to resolve "self sign" error by providing certificate from aws doc site. 1) downloaded "Certificate bundles for all AWS Regions" (you can download for single region as well).
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html 2) change client to force SSL
ssl: {
rejectUnauthorized: true
}
ssl: {
rejectUnauthorized: true
}
3) run
export NODE_EXTRA_CA_CERTS=/usr/local/etc/ca-certificates/global-bundle.pem
export NODE_EXTRA_CA_CERTS=/usr/local/etc/ca-certificates/global-bundle.pem
You can store pem in any folder and refer it in above statement.
Augusto
Augusto6mo ago
it works on rds with postgres?
Want results from more Discord servers?
Add your server