Postgres SSL installation issues

Hey all!

I'm trying to set up Retool with a Postgres DB with SSL.
I'm stuck at this error when starting the Retool backend:

Error running database migrations: SequelizeConnectionError: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: <redacted>

I've set up the container with these ENV variables as described in Environment Variables

...
POSTGRES_HOST=10.x.x.x
...
POSTGRES_SSL_ENABLED=true
POSTGRES_CUSTOM_SSL_CERT_PATH=/var/data/certs
POSTGRES_CUSTOM_SSL_CA_FILE_NAME=db-server-ca.pem
POSTGRES_CUSTOM_SSL_KEY_FILE_NAME=local-client-key.pem
POSTGRES_CUSTOM_SSL_CERT_FILE_NAME=local-client-cert.pem

I've also tested against a DB without SSL and I was able to use Retool successfully. I even added the SSL DB as a resource in the new installation and that worked fine :thinking:.

I'd note here, that I only needed to provide the client cert and key when adding a resource. It did not ask for a CA. For some reason, I'm unable to get the install working with SSL.

Some env info:

  • Cloud SQL Postgres DB w/ private IP & SSL
  • Cloud Run container w/ Cloud SQL connections & VPC Connector enabled

Hi @while-loop! Thanks for this detailed write-up!

:thinking: This should be doable. I did some digging internally, but I haven't been able to narrow down the issue with this error message

Are you still getting this error? If so, would you mind emailing us at support@retool.com so that we can discuss next steps for troubleshooting?

Hi Tess

also, I saw this error in my application

If you find a solution please notify us

Thanks,

Can you share the environment variables that you have set on the instance? Are you using SSL? I believe that in order to use SSL for the db you have to set POSTGRES_SSL_ENABLED: true\

Also, another user ran into this and their solution was to replace their GCP Postgres with a local postgres instance and created the client-certificate with CN=localhost.

Let me know if either of those sound like helpful routes, or if you're still stuck! :slight_smile:

Hi Retool team, our team could use help here.

Our setup should be fairly standard as the DB is in Google Cloud Platform's Cloud SQL.

Connection/troubleshooting details:

  1. IP, password and username are correct as I was able to test the connection successfully without SSL. This is obviously not desirable as it's a security risk.
  2. For SSL, I entered the CA Cert, Client Key, and Client Cert but I get the similar error from this post Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: my_company_db_name_redacted:production-db
  3. I've connected to other platforms providing the certs and keys as described in step 2 and they work, so either I'm missing some config or it's a retool issue?
  4. I've already tried POSTGRES_SSL_ENABLED: true

Hey @abisek!

This might be a bug on our end :frowning: While we work on fixing it, we have a workaround for you! If you toggle 'Skip TLS certificate validation' in your resource setup, that should allow you to connect. Alternatively, you can also use a bastion host with SSH in the meantime.

Let me know if this works for you!

Thanks @victoria.

Unfortunately, we can't skip TLS for security reasons.

Is there an ETA for the bug fix -- days, weeks, or months? I'd rather wait on it than create a bastion host which is additional maintenance for us.

Definitely understood! Let me check

Ah ok, I think I see the problem! It looks like there was a bug in v2.100.7 (fixed in v2.101.x), which only reads in the CA cert if the other cert fields are also defined. So I think there are a few options here: you could upgrade to the v2.101.x to fix this issue or Skip TLS certificate validation until it's appropriate to update.

Let me know if this worked for you! If not, there are a couple other things we can try :slight_smile:

@victoria hi, I am one of @abisek 's colleagues.

I re-tried this on Retool version 2.103.2 but I still get the same error. Would it be possible to look at logs and see what failed this time?

Hi @amoljain :slight_smile: nice to meet you!

Thank you for trying. If you check “Connect using SSL”, it should give you an input field for “SSL Host”. Can you enter your host in this "host" field?

As for logs, we don’t have access to any of your logs, but you can view them on your own containers!

@victoria hmm the input form doesn't seem to have any field for "SSL Host" (I do have Connect using SSL checked). There is the "Host" field but not "SSL host". Do I need a hard refresh or something?

Hmm maybe I need to enable a flag for y’all since you’re on prem (I believe).

Would you mind DM’ing me the last 4 digits of your license key to make sure I enable the flag for the right org? Thank you! :pray:

@victoria not sure if I can DM you (cant find that feature in here) but our workspace is https://workwhile.retool.com/ so hopefully that lets you pull up the account info

That's the second time I've heard that today :thinking: Thanks for letting me know.

Flag enabled, thank you for sending that over! Could you check your resource setup page once more for the "Connect using SSL" field?