SSL/TLS with SSH mismatch in hostname

Having a connection with SSH to a database with Full SSL/TLS Verification may fail when you’re wanting to connect with specific hostname. This is usually due to a hostname mismatch and throwing an error similar to:

Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost.

This is a general issue around SSH and SSL/TLS and not specific to Retool. For example, connecting via a SSH bastion host might cause the hostname of the server in the TLS handshake to show up as localhost instead of one of the aliases for hostname in the certificate.

To be able to work around the certificate DNS mismatch issue while accessing the remote resource with SSH tunnel:

  • Try deploying Retool on-prem so you can have your resource within your VPN
  • Spoof the hostname/localhost (generally not recommended)
  • Verify CA only
  • Skip TLS

Here's an article from SuperUser that helps explain this.

Retool: Connect with SSL/TLS