Postgres SSL installation issues

Definitely understood! Let me check

Ah ok, I think I see the problem! It looks like there was a bug in v2.100.7 (fixed in v2.101.x), which only reads in the CA cert if the other cert fields are also defined. So I think there are a few options here: you could upgrade to the v2.101.x to fix this issue or Skip TLS certificate validation until it's appropriate to update.

Let me know if this worked for you! If not, there are a couple other things we can try :slight_smile:

@victoria hi, I am one of @abisek 's colleagues.

I re-tried this on Retool version 2.103.2 but I still get the same error. Would it be possible to look at logs and see what failed this time?

Hi @amoljain :slight_smile: nice to meet you!

Thank you for trying. If you check “Connect using SSL”, it should give you an input field for “SSL Host”. Can you enter your host in this "host" field?

As for logs, we don’t have access to any of your logs, but you can view them on your own containers!

@victoria hmm the input form doesn't seem to have any field for "SSL Host" (I do have Connect using SSL checked). There is the "Host" field but not "SSL host". Do I need a hard refresh or something?

Hmm maybe I need to enable a flag for y’all since you’re on prem (I believe).

Would you mind DM’ing me the last 4 digits of your license key to make sure I enable the flag for the right org? Thank you! :pray:

@victoria not sure if I can DM you (cant find that feature in here) but our workspace is so hopefully that lets you pull up the account info

That's the second time I've heard that today :thinking: Thanks for letting me know.

Flag enabled, thank you for sending that over! Could you check your resource setup page once more for the "Connect using SSL" field?

Hey team!

We are having the same issue on Retool (cloud). Running a SQL connection to Postgres via SSL to GCP.

"Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN:"

I have (grimace) disabled TLS validation for now.

Hey @matthewjemhr! Eesh :see_no_evil: Will ping the engineers working on this.

Just to double check, have you added your Host in the SSL Host field?

Hi Victoria,

I don't seem to have that option.

Ah, I may need to enable a flag for you until we figure out a more permanent solution. Just enabled it! Would you mind refreshing your resource to see if the field shows up?

same issue. Did you guys fix it? thank you

Hey @palex! Yup, a fix for this went out in Retool version 2.106. Would checking "Verify CA Certificate" work for you?

we have the same issue, is this the only fix for Google SQL, Verify CA does work, but obviously we want the highest security.

Is verify CA enough or is there more we can do in order to implement full verification?

Hey @Gregory_Keys, that should be enough! Is there a specific aspect you’re concerned about? Happy to ask our security team for more details

I suppose that it should be enough since the ip's are also white listed, I can't think of a scenario where it poses any additional risk for us.

it might be worth asking your team if they can think of anything, ultimately we just want to make sure we are doing everything we can do to reduce any risk, if that means a little more work on our end in order to do full verification we're happy to do that, but if its just not possible and the only option is Verify CA, then that should be sufficient.

Sounds like verifying CA should be more than enough! I brought your concerns to our security and infra teams and that seems to be the consensus. Do you have any other specific questions or concerns?

For anyone else that stumbles across this issue in the future, Specifically with GCP postgres, there is some semantics with validating the hostname in the certificate that need to be dealt with.

pg with google cloud postgres · Issue #79 · brianc/node-postgres-docs · GitHub talks through the issue in quite some details (Its likely that retool is using node-pg under the hood, but i've not confirmed this, regardless the issue is still valid about validating the hostname)

I came across a Retool environment variable that seems to help me - I can only elaborate on how it works, as I cant find any docs for the variable (asked a question, got no responses Is there any documentation for additional environment variables)

I've set POSTGRES_CUSTOM_SSL_CERT_ALTNAME_REGEX=".*" on my self hosted retool and it allows the connection to succeed. (Of course, this is only applicable for self hosted.)

Hopefully this info helps someone in future.

1 Like