Postgres SSL connection

Hi all,

I am using managed Postgres by GCP and using it with an unencrypted connection. When I want to use only an SSL connection and enable it on the GCP UI, I think I also have to go and change the SSL mode to the require in the chirpstack.toml file like the following.

    dsn="postgres://username:password@$POSTGRESQL_HOST:5432/dbname?sslmode=require"

When I change it, I get the following problem:

Error: Error occurred while creating a new object: error performing TLS handshake: invalid peer certificate: UnknownIssuer

Caused by:
    error performing TLS handshake: invalid peer certificate: UnknownIssuer

No matter what I tried, I couldn’t solve this, can someone help me?

Thanks,

I found this github issue, it seems there is a problem with gcp tls connection, and solution advice by brocaar in the link is not working.

This indicates that ChirpStack is unable to validate the server-certificate of your PostgreSQL instance. You need to obtain the CA certificate that was used to sign the server-certificate and configure this in ChirpStack:

# PostgreSQL configuration.
[postgresql]
  ...

  # CA certificate (optional).
  #
  # Set this to the path of the CA certificate in case you are using TLS and
  # the server-certificate is not signed by a CA in the platform certificate
  # store.
  ca_cert=""

Yes, I tried to set a CA certificate, and got the following error:

Error: Error occurred while creating a new object: error performing TLS handshake: invalid peer certificate: NotValidForName

If you check the GitHub issue in my previous comment, another person experienced the same problem. I think there is an issue in the 4.7 version, I tried to downgrade to 4.6 and the error was gone.

v4.7 is a lot stricter with TLS certificate validation than v4.6 because the PostgreSQL library has changed.

What you could try is use the openssl from the CLI to print the TLS certificate details of your PostgreSQL instance. I’m especially interested for which hostname the TLS certificate was generate and if this matches the hostname of the PostgreSQL server that you configured in your config file.

This topic was automatically closed after 90 days. New replies are no longer allowed.