starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-25 03:14:50 +03:00
Code Issues 396 Packages Projects Releases 16 Wiki Activity

External Postgresql (AWS RDS) does not connect properly #471

New Issue
Closed
opened 2026-02-04 19:46:57 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2026-02-04 19:46:57 +03:00
Owner
Copy Link

Originally created by @DrPersico on GitHub (Apr 10, 2024).

I'm trying to use Planka with an external PostgreSQL 16.1 server that is hosted in AWS RDS, however, it seems I've come across what appears to be the same issue mentioned in: External Postgresql with SSL does not connect properly #494

I have no issues connecting to PostgreSQL via PgAdmin4.

Here's my Docker-compose.yml

version: '3'

services:
  planka:
    image: planka:latest
    restart: on-failure
    volumes:
      - user-avatars:/app/public/user-avatars
      - project-background-images:/app/public/project-background-images
      - attachments:/app/private/attachments
    ports:
      - 3000:1337
    environment:
      - BASE_URL=http://localhost:3000
      - DATABASE_URL=postgresql://user:password@postgres-db.xxxxxx.eu-west-1.rds.amazonaws.com:5321/planka?ssl=true&sslmode=required&sslrootcert=/app/db/global-bundle.pem
      - SECRET_KEY=xxxxxxxxxxxxxxxx
      # - TRUST_PROXY=0
      # - TOKEN_EXPIRES_IN=365 # In days

      # related: https://github.com/knex/knex/issues/2354
      # As knex does not pass query parameters from the connection string we
      # have to use environment variables in order to pass the desired values, e.g.
      # - PGSSLMODE=required

      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

      # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
      # - DEFAULT_ADMIN_PASSWORD=demo
      # - DEFAULT_ADMIN_NAME=Demo Demo
      # - DEFAULT_ADMIN_USERNAME=demo

      # - OIDC_ISSUER=
      # - OIDC_CLIENT_ID=
      # - OIDC_CLIENT_SECRET=
      # - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=admin
      # - OIDC_EMAIL_ATTRIBUTE=email
      # - OIDC_NAME_ATTRIBUTE=name
      # - OIDC_USERNAME_ATTRIBUTE=preferred_username
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      # - OIDC_ENFORCED=true

      # Email Notifications (https://nodemailer.com/smtp/)
      # - SMTP_HOST=
      # - SMTP_PORT=587
      # - SMTP_SECURE=true
      # - SMTP_USER=
      # - SMTP_PASSWORD=
      # - SMTP_FROM="Demo Demo" <demo@demo.demo>

      # - SLACK_BOT_TOKEN=
      # - SLACK_CHANNEL_ID=

volumes:
  user-avatars:
  project-background-images:
  attachments:
  db-data:

Error:

planka-master2-planka-1  | debug: It looks like your "sails.config.sockets.onlyAllowOrigins" array only includes
planka-master2-planka-1  | debug: references to the "localhost" origin.  This is completely valid, but be sure
planka-master2-planka-1  | debug: to add any other origins to this list that you'd like to accept socket
planka-master2-planka-1  | debug: connections from!
planka-master2-planka-1  | debug: 
planka-master2-planka-1  | 2024-04-10 09:35:11 [E] A hook ("orm") failed to load!
planka-master2-planka-1  | 2024-04-10 09:35:11 [E] Failed to lift app: "getConnection" failed ("failed").  Could not acquire a connection to the database using the specified manager.
planka-master2-planka-1  | Additional data:
planka-master2-planka-1  | 
planka-master2-planka-1  | {
planka-master2-planka-1  |   error: error: no pg_hba.conf entry for host "xxx.xxx.xxx.xxx", user "kanban", database "planka", no encryption
planka-master2-planka-1  |       at Parser.parseErrorMessage (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/parser.js:287:98)
planka-master2-planka-1  |       at Parser.handlePacket (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/parser.js:126:29)
planka-master2-planka-1  |       at Parser.parse (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/parser.js:39:38)
planka-master2-planka-1  |       at Socket.<anonymous> (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/index.js:11:42)
planka-master2-planka-1  |       at Socket.emit (node:events:517:28)
planka-master2-planka-1  |       at addChunk (node:internal/streams/readable:368:12)
planka-master2-planka-1  |       at readableAddChunk (node:internal/streams/readable:341:9)
planka-master2-planka-1  |       at Readable.push (node:internal/streams/readable:278:10)
planka-master2-planka-1  |       at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {
planka-master2-planka-1  |     length: 163,
planka-master2-planka-1  |     severity: 'FATAL',
planka-master2-planka-1  |     code: '28000',
planka-master2-planka-1  |     detail: undefined,
planka-master2-planka-1  |     hint: undefined,
planka-master2-planka-1  |     position: undefined,
planka-master2-planka-1  |     internalPosition: undefined,
planka-master2-planka-1  |     internalQuery: undefined,
planka-master2-planka-1  |     where: undefined,
planka-master2-planka-1  |     schema: undefined,
planka-master2-planka-1  |     table: undefined,
planka-master2-planka-1  |     column: undefined,
planka-master2-planka-1  |     dataType: undefined,
planka-master2-planka-1  |     constraint: undefined,
planka-master2-planka-1  |     file: 'auth.c',
planka-master2-planka-1  |     line: '542',
planka-master2-planka-1  |     routine: 'ClientAuthentication'
planka-master2-planka-1  |   },
planka-master2-planka-1  |   meta: undefined
planka-master2-planka-1  | }
planka-master2-planka-1  | 
planka-master2-planka-1  | 2024-04-10 09:35:11 [E] More details (raw):

I've tried the following:

  • Uncomment and set PGSSLMODE to allow, required, and no-verify.
  • Uncomment and set KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE to false.
  • Uncomment ssl: true in server/config/env/production.js.
  • Tried on different machines
Originally created by @DrPersico on GitHub (Apr 10, 2024). I'm trying to use Planka with an external PostgreSQL 16.1 server that is hosted in AWS RDS, however, it seems I've come across what appears to be the same issue mentioned in: _External Postgresql with SSL does not connect properly #494_ I have no issues connecting to PostgreSQL via PgAdmin4. Here's my Docker-compose.yml ``` version: '3' services: planka: image: planka:latest restart: on-failure volumes: - user-avatars:/app/public/user-avatars - project-background-images:/app/public/project-background-images - attachments:/app/private/attachments ports: - 3000:1337 environment: - BASE_URL=http://localhost:3000 - DATABASE_URL=postgresql://user:password@postgres-db.xxxxxx.eu-west-1.rds.amazonaws.com:5321/planka?ssl=true&sslmode=required&sslrootcert=/app/db/global-bundle.pem - SECRET_KEY=xxxxxxxxxxxxxxxx # - TRUST_PROXY=0 # - TOKEN_EXPIRES_IN=365 # In days # related: https://github.com/knex/knex/issues/2354 # As knex does not pass query parameters from the connection string we # have to use environment variables in order to pass the desired values, e.g. # - PGSSLMODE=required # Configure knex to accept SSL certificates # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted # - DEFAULT_ADMIN_PASSWORD=demo # - DEFAULT_ADMIN_NAME=Demo Demo # - DEFAULT_ADMIN_USERNAME=demo # - OIDC_ISSUER= # - OIDC_CLIENT_ID= # - OIDC_CLIENT_SECRET= # - OIDC_SCOPES=openid email profile # - OIDC_ADMIN_ROLES=admin # - OIDC_EMAIL_ATTRIBUTE=email # - OIDC_NAME_ATTRIBUTE=name # - OIDC_USERNAME_ATTRIBUTE=preferred_username # - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_USERNAME=true # - OIDC_IGNORE_ROLES=true # - OIDC_ENFORCED=true # Email Notifications (https://nodemailer.com/smtp/) # - SMTP_HOST= # - SMTP_PORT=587 # - SMTP_SECURE=true # - SMTP_USER= # - SMTP_PASSWORD= # - SMTP_FROM="Demo Demo" <demo@demo.demo> # - SLACK_BOT_TOKEN= # - SLACK_CHANNEL_ID= volumes: user-avatars: project-background-images: attachments: db-data: ``` Error: ``` planka-master2-planka-1 | debug: It looks like your "sails.config.sockets.onlyAllowOrigins" array only includes planka-master2-planka-1 | debug: references to the "localhost" origin. This is completely valid, but be sure planka-master2-planka-1 | debug: to add any other origins to this list that you'd like to accept socket planka-master2-planka-1 | debug: connections from! planka-master2-planka-1 | debug: planka-master2-planka-1 | 2024-04-10 09:35:11 [E] A hook ("orm") failed to load! planka-master2-planka-1 | 2024-04-10 09:35:11 [E] Failed to lift app: "getConnection" failed ("failed"). Could not acquire a connection to the database using the specified manager. planka-master2-planka-1 | Additional data: planka-master2-planka-1 | planka-master2-planka-1 | { planka-master2-planka-1 | error: error: no pg_hba.conf entry for host "xxx.xxx.xxx.xxx", user "kanban", database "planka", no encryption planka-master2-planka-1 | at Parser.parseErrorMessage (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/parser.js:287:98) planka-master2-planka-1 | at Parser.handlePacket (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/parser.js:126:29) planka-master2-planka-1 | at Parser.parse (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/parser.js:39:38) planka-master2-planka-1 | at Socket.<anonymous> (/app/node_modules/.pnpm/pg-protocol@1.5.0/node_modules/pg-protocol/dist/index.js:11:42) planka-master2-planka-1 | at Socket.emit (node:events:517:28) planka-master2-planka-1 | at addChunk (node:internal/streams/readable:368:12) planka-master2-planka-1 | at readableAddChunk (node:internal/streams/readable:341:9) planka-master2-planka-1 | at Readable.push (node:internal/streams/readable:278:10) planka-master2-planka-1 | at TCP.onStreamRead (node:internal/stream_base_commons:190:23) { planka-master2-planka-1 | length: 163, planka-master2-planka-1 | severity: 'FATAL', planka-master2-planka-1 | code: '28000', planka-master2-planka-1 | detail: undefined, planka-master2-planka-1 | hint: undefined, planka-master2-planka-1 | position: undefined, planka-master2-planka-1 | internalPosition: undefined, planka-master2-planka-1 | internalQuery: undefined, planka-master2-planka-1 | where: undefined, planka-master2-planka-1 | schema: undefined, planka-master2-planka-1 | table: undefined, planka-master2-planka-1 | column: undefined, planka-master2-planka-1 | dataType: undefined, planka-master2-planka-1 | constraint: undefined, planka-master2-planka-1 | file: 'auth.c', planka-master2-planka-1 | line: '542', planka-master2-planka-1 | routine: 'ClientAuthentication' planka-master2-planka-1 | }, planka-master2-planka-1 | meta: undefined planka-master2-planka-1 | } planka-master2-planka-1 | planka-master2-planka-1 | 2024-04-10 09:35:11 [E] More details (raw): ``` I've tried the following: - Uncomment and set PGSSLMODE to `allow`, `required`, and `no-verify`. - Uncomment and set KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE to `false`. - Uncomment ssl: true in server/config/env/production.js. - Tried on different machines
OVERLORD added the help wanted label 2026-02-04 19:46:57 +03:00
OVERLORD commented 2026-02-04 19:47:17 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Apr 10, 2024):

Hi! Thanks for reporting this and providing the logs. We can't test this right now because we need to register in AWS to reproduce this, but that requires providing payment information. If anyone has a way to reproduce this without registering in AWS, we'd be happy to test and find the problem.

@meltyshev commented on GitHub (Apr 10, 2024): Hi! Thanks for reporting this and providing the logs. We can't test this right now because we need to register in AWS to reproduce this, but that requires providing payment information. If anyone has a way to reproduce this without registering in AWS, we'd be happy to test and find the problem.
OVERLORD commented 2026-02-04 19:47:21 +03:00
Author
Owner
Copy Link

@tomudding commented on GitHub (Apr 14, 2024):

I have also seen this with a non-AWS PostgreSQL server that requires SSL. To fix it, we had to se PGSSLMODE to required and add ssl=true to the database URL. Having sslmode=require in the database URL does not work (and is also the reason PGSSLMODE was introduced in #404 from what I can tell).

If you do not want to set ssl=true in the database URL you will have to also set KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE to false such that the buildSSLConfig() will not return false (which would result in knex config having ssl: false). However, that is very bad in terms of security (you might as well disable SSL).

@tomudding commented on GitHub (Apr 14, 2024): I have also seen this with a non-AWS PostgreSQL server that requires SSL. To fix it, we had to se `PGSSLMODE` to `required` and add `ssl=true` to the database URL. Having `sslmode=require` in the database URL does not work (and is also the reason `PGSSLMODE` was introduced in #404 from what I can tell). If you do not want to set `ssl=true` in the database URL you will have to also set `KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE` to `false` such that the `buildSSLConfig()` will not return `false` (which would result in knex config having `ssl: false`). However, that is very bad in terms of security (you might as well disable SSL).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label help wanted
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#471
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?