Error: self signed certificate in certificate chain

Hello, I am a new user of drizzle and trying to run the command for the first time:
drizzle-kit introspect:pg
drizzle-kit introspect:pg
But I got this error
[⣟] 0 tables fetching
[⣟] 0 columns fetching
[⣟] 0 enums fetching
[⣟] 0 indexes fetching
[⣟] 0 foreign keys fetching
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
[⣟] 0 tables fetching
[⣟] 0 columns fetching
[⣟] 0 enums fetching
[⣟] 0 indexes fetching
[⣟] 0 foreign keys fetching
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
I am connecting drizzle to my Supabase instance, and my config file is like this
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema.ts",
driver: "pg",
out: "./drizzle",
dbCredentials: {
host: process.env.host,
port: 5432,
user: "postgres",
password: process.env.password,
database: "postgres",
ssl: true,
},
} satisfies Config;
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema.ts",
driver: "pg",
out: "./drizzle",
dbCredentials: {
host: process.env.host,
port: 5432,
user: "postgres",
password: process.env.password,
database: "postgres",
ssl: true,
},
} satisfies Config;
I have already enabled ssl, why does this happen and how to resolve this?
25 Replies
phoenisx
phoenisx2y ago
Related to https://github.com/drizzle-team/drizzle-orm/issues/831#issue-1781522128 Even I am trying to find how to connect to Remote Postgres (Encrypted), from localhost using Drizzle
GitHub
[BUG]: dbCredentials.ssl is not working while introspecting · Iss...
What version of drizzle-orm are you using? 0.27.0 What version of drizzle-kit are you using? 0.19.2 Describe the Bug The ssl option is not working while running introspect, // drizzle.config.ts exp...
laubonghaudoi
laubonghaudoiOP2y ago
So it’s not a drizzle problem?
archer
archer17mo ago
Also having this issue...
rphlmr ⚡
rphlmr ⚡17mo ago
Hello I'm a Supabase user too
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema/*",
out: "./drizzle",
driver: 'pg',
dbCredentials: {
connectionString: "postgresql://postgres:[email protected]:5432/postgres",
}
} satisfies Config;
import type { Config } from "drizzle-kit";

export default {
schema: "./src/schema/*",
out: "./drizzle",
driver: 'pg',
dbCredentials: {
connectionString: "postgresql://postgres:[email protected]:5432/postgres",
}
} satisfies Config;
Works great. Any reason you don't use the connection string?
laubonghaudoi
laubonghaudoiOP17mo ago
I tried using connection string too but it asks for SSL. I guess your supabase db doesnt require SSL connection?
rphlmr ⚡
rphlmr ⚡17mo ago
Will see asap, it is not a fresh db, maybe something in my config 🤔
rphlmr ⚡
rphlmr ⚡17mo ago
No description
rphlmr ⚡
rphlmr ⚡17mo ago
true, it is disabled on my project
laubonghaudoi
laubonghaudoiOP17mo ago
So it doesnt require you to connect with SSL?
rphlmr ⚡
rphlmr ⚡17mo ago
Nope, no need.
laubonghaudoi
laubonghaudoiOP17mo ago
So connection string doesnt work for me either, even after I turned off SSL. I got the same error.
rphlmr ⚡
rphlmr ⚡17mo ago
maybe try to restart your db (from supabase dashboard). I know support is really fast qnd helpful if you still encounter this issue.
laubonghaudoi
laubonghaudoiOP17mo ago
I have tried restarting the db, how to get their support? I thought the discord channel here is the support
rphlmr ⚡
rphlmr ⚡17mo ago
I mean Supabase support. Maybe they can help you looking at your project configuration.
pandareaper
pandareaper17mo ago
I've never used supabase, but a quick google told me it is possible to disable SSL enforcement in your database through the CLI Ideally you use SSL, to do so you would download the root certificate for your database following these instructions https://supabase.com/docs/guides/database/connecting-to-postgres#connecting-with-ssl You then need to configure nodejs to either pick up that root certificate, or configure your connection to pick it up. Last I checked, drizzle-kit doesn't support that You can either configure a path for nodejs to look for extra certificates to use for SSL verification https://nodejs.org/api/cli.html#node_extra_ca_certsfile Or configure it on your database connection (the preferred approach)
return postgres({
database: config.DB_NAME,
user: config.DB_USER,
password: config.DB_PASSWORD,
host: config.DB_HOST,
port: config.DB_PORT,
max: config.DB_POOL_SIZE,
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
})
return postgres({
database: config.DB_NAME,
user: config.DB_USER,
password: config.DB_PASSWORD,
host: config.DB_HOST,
port: config.DB_PORT,
max: config.DB_POOL_SIZE,
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
})
Connecting to your database | Supabase Docs
Explore the options for connecting to your Postgres database.
laubonghaudoi
laubonghaudoiOP17mo ago
Thanks for your detailed info! Can you elaborate on this part
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
ssl: config.RDS_CERT_BUNDLE_LOCATION
? {
rejectUnauthorized: true,
ca: [readFileSync(config.RDS_CERT_BUNDLE_LOCATION)],
}
: undefined,
Because in the drizzle kit type definition, ssl only accepts a boolean value. How can you pass a string to a boolean field?
No description
rphlmr ⚡
rphlmr ⚡17mo ago
I think it is not possible right now. I have tested too, enabling ssl: same issue. Disabling SSL on supabase dashboard and drizzle kit works again.
No description
rphlmr ⚡
rphlmr ⚡17mo ago
To track this I have created an issue on drizzle-kit: https://github.com/drizzle-team/drizzle-kit-mirror/issues/157
Andrii Sherman
Andrii Sherman17mo ago
Taking that and related issue as well
quitelistener
quitelistener17mo ago
i think drizzle accepts ssl as tls object. I set to false for testing.
import { pgTable, serial, text, varchar } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { Client } from "pg";


const client = new Client({
host: "...",
port: 5432,
user: "postgres",
password: ".....",
database: "postgres",
ssl: {
rejectUnauthorized: false,
},
}
);
import { pgTable, serial, text, varchar } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { Client } from "pg";


const client = new Client({
host: "...",
port: 5432,
user: "postgres",
password: ".....",
database: "postgres",
ssl: {
rejectUnauthorized: false,
},
}
);
I was able to resolve "self sign" error by providing certificate from aws doc site. 1) downloaded "Certificate bundles for all AWS Regions" (you can download for single region as well).
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html 2) change client to force SSL
ssl: {
rejectUnauthorized: true
}
ssl: {
rejectUnauthorized: true
}
3) run
export NODE_EXTRA_CA_CERTS=/usr/local/etc/ca-certificates/global-bundle.pem
export NODE_EXTRA_CA_CERTS=/usr/local/etc/ca-certificates/global-bundle.pem
You can store pem in any folder and refer it in above statement.
Augusto
Augusto7mo ago
it works on rds with postgres?
PabloHDev 🧩
PabloHDev 🧩2mo ago
Hello everyone, I'm having the similar issue. I'm have a application with nestjs, in the drizzle module i can keep a connection with success, i disabled on the aws to force usse ssl connection, but in drizzle.config.ts yet don´t working when I try execute a migration.
PabloHDev 🧩
PabloHDev 🧩2mo ago
module of nestjs working
No description
PabloHDev 🧩
PabloHDev 🧩2mo ago
not working of migrate
No description
PabloHDev 🧩
PabloHDev 🧩2mo ago
I can fixed. added ?sslmode=no-verify on I managed to solve it by adding ?sslmode=no-verifyat the end of the connection string
No description
Want results from more Discord servers?
Add your server