Error: self signed certificate in certificate chain

Hello, I am a new user of drizzle and trying to run the command for the first time:

drizzle-kit introspect:pg

drizzle-kit introspect:pg

But I got this error

[⣟] 0 tables fetching
[⣟] 0 columns fetching
[⣟] 0 enums fetching
[⣟] 0 indexes fetching
[⣟] 0 foreign keys fetching
Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
    at TLSSocket.emit (node:events:390:28)
    at TLSSocket._finishInit (node:_tls_wrap:944:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}

[⣟] 0 tables fetching
[⣟] 0 columns fetching
[⣟] 0 enums fetching
[⣟] 0 indexes fetching
[⣟] 0 foreign keys fetching
Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
    at TLSSocket.emit (node:events:390:28)
    at TLSSocket._finishInit (node:_tls_wrap:944:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}

I am connecting drizzle to my Supabase instance, and my config file is like this

import type { Config } from "drizzle-kit";

export default {
  schema: "./src/schema.ts",
  driver: "pg",
  out: "./drizzle",
  dbCredentials: {
    host: process.env.host,
    port: 5432,
    user: "postgres",
    password: process.env.password,
    database: "postgres",
    ssl: true,
  },
} satisfies Config;

import type { Config } from "drizzle-kit";

export default {
  schema: "./src/schema.ts",
  driver: "pg",
  out: "./drizzle",
  dbCredentials: {
    host: process.env.host,
    port: 5432,
    user: "postgres",
    password: process.env.password,
    database: "postgres",
    ssl: true,
  },
} satisfies Config;

I have already enabled ssl, why does this happen and how to resolve this?

21 Replies

phoenisx•16mo ago

Related to https://github.com/drizzle-team/drizzle-orm/issues/831#issue-1781522128 Even I am trying to find how to connect to Remote Postgres (Encrypted), from localhost using Drizzle

GitHub

[BUG]: dbCredentials.ssl is not working while introspecting · Iss...

What version of drizzle-orm are you using? 0.27.0 What version of drizzle-kit are you using? 0.19.2 Describe the Bug The ssl option is not working while running introspect, // drizzle.config.ts exp...

laubonghaudoiOP•16mo ago

So it’s not a drizzle problem?

archer•16mo ago

Also having this issue...

rphlmr ⚡•16mo ago

Hello I'm a Supabase user too

import type { Config } from "drizzle-kit";
 
export default {
  schema: "./src/schema/*",
  out: "./drizzle",
  driver: 'pg',
  dbCredentials: {
    connectionString: "postgresql://postgres:[email protected]:5432/postgres",
  }
} satisfies Config;

import type { Config } from "drizzle-kit";
 
export default {
  schema: "./src/schema/*",
  out: "./drizzle",
  driver: 'pg',
  dbCredentials: {
    connectionString: "postgresql://postgres:[email protected]:5432/postgres",
  }
} satisfies Config;

Works great. Any reason you don't use the connection string?

laubonghaudoiOP•16mo ago

I tried using connection string too but it asks for SSL. I guess your supabase db doesnt require SSL connection?

rphlmr ⚡•16mo ago

Will see asap, it is not a fresh db, maybe something in my config 🤔

rphlmr ⚡•16mo ago

rphlmr ⚡•16mo ago

true, it is disabled on my project

laubonghaudoiOP•15mo ago

So it doesnt require you to connect with SSL?

rphlmr ⚡•15mo ago

Nope, no need.

laubonghaudoiOP•15mo ago

So connection string doesnt work for me either, even after I turned off SSL. I got the same error.

rphlmr ⚡•15mo ago

maybe try to restart your db (from supabase dashboard). I know support is really fast qnd helpful if you still encounter this issue.

laubonghaudoiOP•15mo ago

I have tried restarting the db, how to get their support? I thought the discord channel here is the support

rphlmr ⚡•15mo ago

I mean Supabase support. Maybe they can help you looking at your project configuration.

pandareaper•15mo ago

I've never used supabase, but a quick google told me it is possible to disable SSL enforcement in your database through the CLI Ideally you use SSL, to do so you would download the root certificate for your database following these instructions https://supabase.com/docs/guides/database/connecting-to-postgres#connecting-with-ssl You then need to configure nodejs to either pick up that root certificate, or configure your connection to pick it up. Last I checked, drizzle-kit doesn't support that You can either configure a path for nodejs to look for extra certificates to use for SSL verification https://nodejs.org/api/cli.html#node_extra_ca_certsfile Or configure it on your database connection (the preferred approach)

return postgres({
          database: config.DB_NAME,
          user: config.DB_USER,
          password: config.DB_PASSWORD,
          host: config.DB_HOST,
          port: config.DB_PORT,
          max: config.DB_POOL_SIZE,
          ssl: config.RDS_CERT_BUNDLE_LOCATION
            ? {
                rejectUnauthorized: true,
                ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
              }
            : undefined,
})

return postgres({
          database: config.DB_NAME,
          user: config.DB_USER,
          password: config.DB_PASSWORD,
          host: config.DB_HOST,
          port: config.DB_PORT,
          max: config.DB_POOL_SIZE,
          ssl: config.RDS_CERT_BUNDLE_LOCATION
            ? {
                rejectUnauthorized: true,
                ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
              }
            : undefined,
})

Connecting to your database | Supabase Docs

Explore the options for connecting to your Postgres database.

laubonghaudoiOP•15mo ago

Thanks for your detailed info! Can you elaborate on this part

  ssl: config.RDS_CERT_BUNDLE_LOCATION
    ? {
        rejectUnauthorized: true,
        ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
      }
    : undefined,

  ssl: config.RDS_CERT_BUNDLE_LOCATION
    ? {
        rejectUnauthorized: true,
        ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
      }
    : undefined,

Because in the drizzle kit type definition, ssl only accepts a boolean value. How can you pass a string to a boolean field?

rphlmr ⚡•15mo ago

I think it is not possible right now. I have tested too, enabling ssl: same issue. Disabling SSL on supabase dashboard and drizzle kit works again.

rphlmr ⚡•15mo ago

To track this I have created an issue on drizzle-kit: https://github.com/drizzle-team/drizzle-kit-mirror/issues/157

Andrii Sherman•15mo ago

Taking that and related issue as well

quitelistener•15mo ago

i think drizzle accepts ssl as tls object. I set to false for testing.

import { pgTable, serial, text, varchar } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { Client } from "pg";


const client = new Client({
    host: "...",
    port: 5432,
    user: "postgres",
    password: ".....",
    database: "postgres",
    ssl: {
        rejectUnauthorized: false,
    },
}
);

import { pgTable, serial, text, varchar } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { Client } from "pg";


const client = new Client({
    host: "...",
    port: 5432,
    user: "postgres",
    password: ".....",
    database: "postgres",
    ssl: {
        rejectUnauthorized: false,
    },
}
);

I was able to resolve "self sign" error by providing certificate from aws doc site. 1) downloaded "Certificate bundles for all AWS Regions" (you can download for single region as well).
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html 2) change client to force SSL

 ssl: {
        rejectUnauthorized: true
    }

 ssl: {
        rejectUnauthorized: true
    }

3) run

export NODE_EXTRA_CA_CERTS=/usr/local/etc/ca-certificates/global-bundle.pem

export NODE_EXTRA_CA_CERTS=/usr/local/etc/ca-certificates/global-bundle.pem

You can store pem in any folder and refer it in above statement.

Augusto•6mo ago

it works on rds with postgres?

Gaming

Programming

Error: self signed certificate in certificate chain