I'm trying to set up Retool with a Postgres DB with SSL.
I'm stuck at this error when starting the Retool backend:
Error running database migrations: SequelizeConnectionError: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: <redacted>
I've set up the container with these ENV variables as described in Environment Variables
I've also tested against a DB without SSL and I was able to use Retool successfully. I even added the SSL DB as a resource in the new installation and that worked fine .
I'd note here, that I only needed to provide the client cert and key when adding a resource. It did not ask for a CA. For some reason, I'm unable to get the install working with SSL.
Some env info:
- Cloud SQL Postgres DB w/ private IP & SSL
- Cloud Run container w/ Cloud SQL connections & VPC Connector enabled
Hi @while-loop! Thanks for this detailed write-up!
This should be doable. I did some digging internally, but I haven't been able to narrow down the issue with this error message
Are you still getting this error?
also, I saw this error in my application
If you find a solution please notify us
Can you share the environment variables that you have set on the instance? Are you using SSL? I believe that in order to use SSL for the db you have to set
Also, another user ran into this and their solution was to replace their GCP Postgres with a local postgres instance and created the client-certificate with CN=localhost.
Let me know if either of those sound like helpful routes, or if you're still stuck!
Hi Retool team, our team could use help here.
Our setup should be fairly standard as the DB is in Google Cloud Platform's Cloud SQL.
- IP, password and username are correct as I was able to test the connection successfully without SSL. This is obviously not desirable as it's a security risk.
- For SSL, I entered the CA Cert, Client Key, and Client Cert but I get the similar error from this post
Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: my_company_db_name_redacted:production-db
- I've connected to other platforms providing the certs and keys as described in step 2 and they work, so either I'm missing some config or it's a retool issue?
- I've already tried
This might be a bug on our end While we work on fixing it, we have a workaround for you! If you toggle 'Skip TLS certificate validation' in your resource setup, that should allow you to connect. Alternatively, you can also use a bastion host with SSH in the meantime.
Let me know if this works for you!
Unfortunately, we can't skip TLS for security reasons.
Is there an ETA for the bug fix -- days, weeks, or months? I'd rather wait on it than create a bastion host which is additional maintenance for us.
Definitely understood! Let me check
Ah ok, I think I see the problem! It looks like there was a bug in
v2.100.7 (fixed in
v2.101.x), which only reads in the CA cert if the other cert fields are also defined. So I think there are a few options here: you could upgrade to the
v2.101.x to fix this issue or
Skip TLS certificate validation until it's appropriate to update.
Let me know if this worked for you! If not, there are a couple other things we can try
@victoria hi, I am one of @abisek 's colleagues.
I re-tried this on Retool version 2.103.2 but I still get the same error. Would it be possible to look at logs and see what failed this time?
Hi @amoljain nice to meet you!
Thank you for trying. If you check “Connect using SSL”, it should give you an input field for “SSL Host”. Can you enter your host in this "host" field?
As for logs, we don’t have access to any of your logs, but you can view them on your own containers!
@victoria hmm the input form doesn't seem to have any field for "SSL Host" (I do have Connect using SSL checked). There is the "Host" field but not "SSL host". Do I need a hard refresh or something?
Hmm maybe I need to enable a flag for y’all since you’re on prem (I believe).
Would you mind DM’ing me the last 4 digits of your license key to make sure I enable the flag for the right org? Thank you!
@victoria not sure if I can DM you (cant find that feature in here) but our workspace is https://workwhile.retool.com/ so hopefully that lets you pull up the account info
That's the second time I've heard that today Thanks for letting me know.
Flag enabled, thank you for sending that over! Could you check your resource setup page once more for the "Connect using SSL" field?
We are having the same issue on Retool (cloud). Running a SQL connection to Postgres via SSL to GCP.
"Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN:"
I have (grimace) disabled TLS validation for now.
Hey @matthewjemhr! Eesh Will ping the engineers working on this.
Just to double check, have you added your Host in the SSL Host field?
I don't seem to have that option.
Ah, I may need to enable a flag for you until we figure out a more permanent solution. Just enabled it! Would you mind refreshing your resource to see if the field shows up?