I'm trying to set up Retool with a Postgres DB with SSL.
I'm stuck at this error when starting the Retool backend:
Error running database migrations: SequelizeConnectionError: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: <redacted>
I've set up the container with these ENV variables as described in Environment Variables
I've also tested against a DB without SSL and I was able to use Retool successfully. I even added the SSL DB as a resource in the new installation and that worked fine .
I'd note here, that I only needed to provide the client cert and key when adding a resource. It did not ask for a CA. For some reason, I'm unable to get the install working with SSL.
Can you share the environment variables that you have set on the instance? Are you using SSL? I believe that in order to use SSL for the db you have to set POSTGRES_SSL_ENABLED: true\
Also, another user ran into this and their solution was to replace their GCP Postgres with a local postgres instance and created the client-certificate with CN=localhost.
Let me know if either of those sound like helpful routes, or if you're still stuck!
Our setup should be fairly standard as the DB is in Google Cloud Platform's Cloud SQL.
Connection/troubleshooting details:
IP, password and username are correct as I was able to test the connection successfully without SSL. This is obviously not desirable as it's a security risk.
For SSL, I entered the CA Cert, Client Key, and Client Cert but I get the similar error from this post Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: my_company_db_name_redacted:production-db
I've connected to other platforms providing the certs and keys as described in step 2 and they work, so either I'm missing some config or it's a retool issue?
This might be a bug on our end While we work on fixing it, we have a workaround for you! If you toggle 'Skip TLS certificate validation' in your resource setup, that should allow you to connect. Alternatively, you can also use a bastion host with SSH in the meantime.
Ah ok, I think I see the problem! It looks like there was a bug in v2.100.7 (fixed in v2.101.x), which only reads in the CA cert if the other cert fields are also defined. So I think there are a few options here: you could upgrade to the v2.101.x to fix this issue or Skip TLS certificate validation until it's appropriate to update.
Thank you for trying. If you check âConnect using SSLâ, it should give you an input field for âSSL Hostâ. Can you enter your host in this "host" field?
As for logs, we donât have access to any of your logs, but you can view them on your own containers!
@victoria hmm the input form doesn't seem to have any field for "SSL Host" (I do have Connect using SSL checked). There is the "Host" field but not "SSL host". Do I need a hard refresh or something?
@victoria not sure if I can DM you (cant find that feature in here) but our workspace is https://workwhile.retool.com/ so hopefully that lets you pull up the account info
Ah, I may need to enable a flag for you until we figure out a more permanent solution. Just enabled it! Would you mind refreshing your resource to see if the field shows up?