Self hosted retool is failing to start using Aurora Postgres DB

Self hosted retool is failing to start using Aurora Postgres DB. It works fine if the postgres is running on a sidecar. But after switching to Aurora DB, it exiting with an error. I am able to connect to the DB manually from the retool pod though.

setsid su retool_user -c /retool_backend/docker_scripts/start_api.sh
root@retool-gql--nonprod-xxx-aws-staging-use1-0:/retool_backend# not untarring the bundle
sed: can't read ./dist/mobile/*.js: No such file or directory
{"level":"info","message":"[process service types] DB_CONNECTOR, DB_SSH_CONNECTOR, MAIN_BACKEND, JOBS_RUNNER, WORKFLOW_WORKER","timestamp":"2024-02-27T21:29:05.100Z"}
Failing checking database migrations

---------------------------
-     EXITING RETOOL      -
---------------------------

Error running database migrations: SequelizeConnectionError: no pg_hba.conf entry for host "10.XXX.XX.XXX", user "admin_user", database "retooldb", no encryption

Are there any environment variables to be set for external DB connections?

Hi there @girishsu! Looking at these AWS Aurora security docs, they note that a no pg_hba.conf entry for host error will occur if your cluster has rds.force_ssl enabled and a client is attempting to connect without using SSL.

Can you try setting the following environment variables on your deployment:

POSTGRES_SSL_ENABLED=true
POSTGRES_SSL_REJECT_UNAUTHORIZED=true

The Retool Docker images includes the AWS certificate bundle built-in.

Thanks @shawntax. Tried setting the postgres env variables.

Now I see - Error running database migrations: SequelizeConnectionError: unable to get local issuer certificate

I am using tryretool/backend:3.28.4

Retool team, Any updates on this issue? We wan't to address this ASAP or we have to roll back the changes.

@shawntax

Similar issue

Setting ENV POSTGRES_SSL_REJECT_UNAUTHORIZED=false in the Dockerfile resolved the issue. was the resolution provided. Is this recommended?

cc: @victoria

@girishsu hmm, first can you try adding the following environment variable as well:

NODE_EXTRA_CA_CERTS=certs/global-bundle.pem

This attempts to explicitly tell the Node process running Retool to add the AWS cert bundle we provide to it's known certs.

If that doesn't work, then it's worth trying to set POSTGRES_SSL_REJECT_UNAUTHORIZED=false

Thanks. This setting worked for me. I didn't try NODE_EXTRA_CA_CERTS.

@shawntax I just wanted to share I was running into the same unable to get local issuer certificate error when creating a new PostgreSQL resource with the "Verify CA Certificate" option enabled, and setting these env variables fixed it for me:

POSTGRES_SSL_ENABLED="true"
POSTGRES_SSL_REJECT_UNAUTHORIZED="true"
NODE_EXTRA_CA_CERTS="certs/global-bundle.pem"

At first I tried just the two POSTGRES_SSL_ vars, which led to the same local issuer cert error when service containers tried to start. I think adding NODE_EXTRA_CA_CERTS was the trick to getting the certificate chain working.