Postgres SSL installation issues

palex · February 5, 2023, 12:27am

same issue. Did you guys fix it? thank you

victoria · February 13, 2023, 2:21am

Hey @palex! Yup, a fix for this went out in Retool version 2.106. Would checking "Verify CA Certificate" work for you?

Gregory_Keys · February 20, 2023, 7:03pm

we have the same issue, is this the only fix for Google SQL, Verify CA does work, but obviously we want the highest security.

Is verify CA enough or is there more we can do in order to implement full verification?

victoria · February 22, 2023, 2:34am

Hey @Gregory_Keys, that should be enough! Is there a specific aspect you’re concerned about? Happy to ask our security team for more details

Gregory_Keys · February 22, 2023, 6:33pm

I suppose that it should be enough since the ip's are also white listed, I can't think of a scenario where it poses any additional risk for us.

it might be worth asking your team if they can think of anything, ultimately we just want to make sure we are doing everything we can do to reduce any risk, if that means a little more work on our end in order to do full verification we're happy to do that, but if its just not possible and the only option is Verify CA, then that should be sufficient.

victoria · February 25, 2023, 7:04am

Sounds like verifying CA should be more than enough! I brought your concerns to our security and infra teams and that seems to be the consensus. Do you have any other specific questions or concerns?

Cole_Diffin · May 6, 2024, 9:27pm

For anyone else that stumbles across this issue in the future, Specifically with GCP postgres, there is some semantics with validating the hostname in the certificate that need to be dealt with.

pg with google cloud postgres · Issue #79 · brianc/node-postgres-docs · GitHub talks through the issue in quite some details (Its likely that retool is using node-pg under the hood, but i've not confirmed this, regardless the issue is still valid about validating the hostname)

I came across a Retool environment variable that seems to help me - I can only elaborate on how it works, as I cant find any docs for the variable (asked a question, got no responses Is there any documentation for additional environment variables)

I've set POSTGRES_CUSTOM_SSL_CERT_ALTNAME_REGEX=".*" on my self hosted retool and it allows the connection to succeed. (Of course, this is only applicable for self hosted.)

Hopefully this info helps someone in future.