I am using managed Postgres by GCP and using it with an unencrypted connection. When I want to use only an SSL connection and enable it on the GCP UI, I think I also have to go and change the SSL mode to the require in the chirpstack.toml file like the following.
This indicates that ChirpStack is unable to validate the server-certificate of your PostgreSQL instance. You need to obtain the CA certificate that was used to sign the server-certificate and configure this in ChirpStack:
# PostgreSQL configuration.
[postgresql]
...
# CA certificate (optional).
#
# Set this to the path of the CA certificate in case you are using TLS and
# the server-certificate is not signed by a CA in the platform certificate
# store.
ca_cert=""
Yes, I tried to set a CA certificate, and got the following error:
Error: Error occurred while creating a new object: error performing TLS handshake: invalid peer certificate: NotValidForName
If you check the GitHub issue in my previous comment, another person experienced the same problem. I think there is an issue in the 4.7 version, I tried to downgrade to 4.6 and the error was gone.
v4.7 is a lot stricter with TLS certificate validation than v4.6 because the PostgreSQL library has changed.
What you could try is use the openssl from the CLI to print the TLS certificate details of your PostgreSQL instance. I’m especially interested for which hostname the TLS certificate was generate and if this matches the hostname of the PostgreSQL server that you configured in your config file.