Postgres SSL connection

Mert_Kaya · May 6, 2024, 6:55pm

Hi all,

I am using managed Postgres by GCP and using it with an unencrypted connection. When I want to use only an SSL connection and enable it on the GCP UI, I think I also have to go and change the SSL mode to the require in the chirpstack.toml file like the following.

    dsn="postgres://username:password@$POSTGRESQL_HOST:5432/dbname?sslmode=require"

When I change it, I get the following problem:

Error: Error occurred while creating a new object: error performing TLS handshake: invalid peer certificate: UnknownIssuer

Caused by:
    error performing TLS handshake: invalid peer certificate: UnknownIssuer

No matter what I tried, I couldn’t solve this, can someone help me?

Thanks,

Mert_Kaya · May 7, 2024, 7:11am

I found this github issue, it seems there is a problem with gcp tls connection, and solution advice by brocaar in the link is not working.

brocaar · May 9, 2024, 1:45pm

This indicates that ChirpStack is unable to validate the server-certificate of your PostgreSQL instance. You need to obtain the CA certificate that was used to sign the server-certificate and configure this in ChirpStack:

# PostgreSQL configuration.
[postgresql]
  ...

  # CA certificate (optional).
  #
  # Set this to the path of the CA certificate in case you are using TLS and
  # the server-certificate is not signed by a CA in the platform certificate
  # store.
  ca_cert=""

Mert_Kaya · May 9, 2024, 2:01pm

Yes, I tried to set a CA certificate, and got the following error:

Error: Error occurred while creating a new object: error performing TLS handshake: invalid peer certificate: NotValidForName

If you check the GitHub issue in my previous comment, another person experienced the same problem. I think there is an issue in the 4.7 version, I tried to downgrade to 4.6 and the error was gone.

brocaar · May 9, 2024, 2:07pm

v4.7 is a lot stricter with TLS certificate validation than v4.6 because the PostgreSQL library has changed.

What you could try is use the openssl from the CLI to print the TLS certificate details of your PostgreSQL instance. I’m especially interested for which hostname the TLS certificate was generate and if this matches the hostname of the PostgreSQL server that you configured in your config file.