We are trying to connect to a PlanetScale MySQL database over SSL. They use SSL certificates that are signed by commonly available root certificates, so we should be able to verify the certificates without needing to trust them. We want to avoid trusting self-signed certificates since that opens up a man-in-the-middle attack vulnerability. However, when we attempt to connect with SSL enabled, we get this error: "Error: unable to get local issuer certificate"
Is Retool providing a certificate bundle? How can we connect over SSL using the OS-provided root certificates to guarantee trust?
After looking into this more, I've been able to successfully connect to my own PlanetScale database instance by checking the Allow self-signed certificates option (not the Use a self-signed certificate option) on the resource setup page; my working configuration looks like this:
Just to further confirm: would this particular approach suit your use case? Or are there strict security policies within your environment that would prohibit you from enabling this setting in particular?
Unfortunately, no. As I understand, this disables certificate chain checking. In order to connect Retool to our production database, we need to verify the certificate chain. With our other tools, we're either able to specify the cacert path or it's configured by default. It seems Retool doesn't provide any root certificates to its MySQL client so we have no way of verifying validity.
For example, from the command line, this is the type of configuration we'd need. This seems like basic security Retool could offer using the certificate bundle that ships on whatever app server platform you're using, I'd hope.
mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/ssl/certs/ca-certificates.crt
Hi, I'm currently investigating if we can start using retool and not being able to establish a secure connection between our PlanetScale database and Retool would be a blocker.
Are there any updates on this? @luke-phillippi do you know if what Ptr suggested in his last post is something that's on the roadmap?
Hey @yka! Happy to help here. Are you running into any specific errors? Would you mind sharing a screenshot of your current resource setup page (feel free to redact any secrets)? Thank you!
Hmm, quick question! It looks like you have “Connect using SSL” but you didn’t provide any certificates (certs). Do you see the same error if you uncheck that SSL box?
thanks for reaching out with this!
