Hello Retool team,
Following up from an "[Action Required] Retool SSL/TLS Update" we received.
When testing a connection to the databases and using the "Full verification" mode, we get a verification error.
For example, for one of our Postgres instances, the error is "Unable to connect. Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN......"
- This database is a Cloud SQL instance in GCP, already with SSL Encryption enforced.
- We are using Retool Cloud
Is there any additional setting in Retool we can apply to resolve this? We need a secure connection from Retool to our database.
Are you using a domain name or IP address to reference your Postgres instance? I am not following why
localhost would be referenced (per that message).
We are using IP address to reference the Postgres instance
In that case there is no way to have the certificate match names or alternative name lists as the certificate will only list host/domain names, not IP Addresses.
Hey! For a little more context here - does the connection work if you select "Verify CA Certificate" instead of "Full verification"?
Changing to "Verify CA Certificate" actually works!
What's the difference between the two verification modes?
I admittedly am not the most versed in this but you can see a table of Postgres verification modes here. The main applicable difference here between "Verify CA Certificate" and "Full verification" is that the latter also checks for a host match (here are some of our docs). Depending on how you're connecting you might see a mismatch in the hostname, for instance connecting via an SSH bastion host might cause it to show up as
localhost instead of one of the aliases provided on the certificate.
There are some more docs here that might be helpful as well. Hopefully, that helps shed some light on things, feel free to ask more questions as they come up!