starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-05 00:39:58 +03:00
Code Issues 396 Packages Projects Releases 10 Wiki Activity

Can't connect to RDS database due to SSL #489

New Issue
Open
opened 2026-02-04 19:52:45 +03:00 by OVERLORD · 15 comments
OVERLORD commented 2026-02-04 19:52:45 +03:00
Owner
Copy Link

Originally created by @sleao on GitHub (Apr 28, 2024).

Hi, I'm trying to use Planka with a RDS Postgres and I can't seem to figure out how to setup SSL. I tried everything from #696 and it still won't connect. Sometimes I get the error: error: no pg_hba.conf entry for host "xxx.xxx.xxx.xxx", user "kanban", database "planka", no encryption error message and other times, this:

node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^
Error: self-signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)
    at TLSSocket.emit (node:events:517:28)
    at TLSSocket._finishInit (node:_tls_wrap:1070:8)
    at ssl.onhandshakedone (node:_tls_wrap:856:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}
Node.js v18.20.2

Any ideas on what to do here? this is what my variables look like:

  • BASE_URL=http://localhost:3000
  • DATABASE_URL=postgresql://planka:password@host/planka?ssl=true
  • SECRET_KEY=secretkey
  • PGSSLMODE=require
Originally created by @sleao on GitHub (Apr 28, 2024). Hi, I'm trying to use Planka with a RDS Postgres and I can't seem to figure out how to setup SSL. I tried everything from #696 and it still won't connect. Sometimes I get the `error: error: no pg_hba.conf entry for host "xxx.xxx.xxx.xxx", user "kanban", database "planka", no encryption` error message and other times, this: ``` node:internal/process/promises:288 triggerUncaughtException(err, true /* fromPromise */); ^ Error: self-signed certificate in certificate chain at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34) at TLSSocket.emit (node:events:517:28) at TLSSocket._finishInit (node:_tls_wrap:1070:8) at ssl.onhandshakedone (node:_tls_wrap:856:12) { code: 'SELF_SIGNED_CERT_IN_CHAIN' } Node.js v18.20.2 ``` Any ideas on what to do here? this is what my variables look like: - BASE_URL=http://localhost:3000 - DATABASE_URL=postgresql://planka:password@host/planka?ssl=true - SECRET_KEY=secretkey - PGSSLMODE=require
OVERLORD commented 2026-02-04 19:52:57 +03:00
Author
Owner
Copy Link

@daniel-hiller commented on GitHub (Apr 29, 2024):

Hi,
You are using a self signed certificate
You have to use this variable too
'''

  • KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

'''

@daniel-hiller commented on GitHub (Apr 29, 2024): Hi, You are using a self signed certificate You have to use this variable too ''' - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false '''
OVERLORD commented 2026-02-04 19:53:01 +03:00
Author
Owner
Copy Link

@sleao commented on GitHub (Apr 29, 2024):

Hi, You are using a self signed certificate You have to use this variable too '''

  • KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

'''

That didn't work, I'm still getting the "SELF_SIGNED_CERT_IN_CHAIN" error.

@sleao commented on GitHub (Apr 29, 2024): > Hi, You are using a self signed certificate You have to use this variable too ''' > > * KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false > > ''' That didn't work, I'm still getting the "SELF_SIGNED_CERT_IN_CHAIN" error.
OVERLORD commented 2026-02-04 19:53:12 +03:00
Author
Owner
Copy Link

@daniel-hiller commented on GitHub (Apr 29, 2024):

can you test the connection the db host using the cli?

psql -d "dbname=postgres sslmode=require" -h psql.example.com -U postgres

you need to install the psql client first apt install postgresql-client

@daniel-hiller commented on GitHub (Apr 29, 2024): can you test the connection the db host using the cli? `psql -d "dbname=postgres sslmode=require" -h psql.example.com -U postgres` you need to install the psql client first `apt install postgresql-client`
OVERLORD commented 2026-02-04 19:53:15 +03:00
Author
Owner
Copy Link

@sleao commented on GitHub (Apr 29, 2024):

can you test the connection the db host using the cli?

psql -d "dbname=postgres sslmode=require" -h psql.example.com -U postgres

you need to install the psql client first apt install postgresql-client

Yes I can, I can also connect via Beekeeper and pgadmin, if that helps.

@sleao commented on GitHub (Apr 29, 2024): > can you test the connection the db host using the cli? > > `psql -d "dbname=postgres sslmode=require" -h psql.example.com -U postgres` > > you need to install the psql client first `apt install postgresql-client` Yes I can, I can also connect via Beekeeper and pgadmin, if that helps.
OVERLORD commented 2026-02-04 19:53:20 +03:00
Author
Owner
Copy Link

@daniel-hiller commented on GitHub (Apr 29, 2024):

okay
give me a bit time, i will install postgresql with ssl to test

@daniel-hiller commented on GitHub (Apr 29, 2024): okay give me a bit time, i will install postgresql with ssl to test
OVERLORD commented 2026-02-04 19:53:25 +03:00
Author
Owner
Copy Link

@sleao commented on GitHub (Apr 29, 2024):

If you need some help, let me know, we can work this out together.

@sleao commented on GitHub (Apr 29, 2024): If you need some help, let me know, we can work this out together.
OVERLORD commented 2026-02-04 19:53:38 +03:00
Author
Owner
Copy Link

@hayka-pacha commented on GitHub (Jun 1, 2024):

Hi @sleao,

I could connect on my RDS with dburl: as value in helm chart with this connexion string : "postgres://<user>:<password>@<rds_endpoint>:5432/planka?sslmode=disable&connect_timeout=10"

My settings form RDS is just adding a custom parameter group with rds.force_ssl=0 and restart the RDS for apply the changes.
Check this link for more informations.

After that, just got (process:20): VIPS-WARNING **: 13:11:31.773: threads clipped to 1024 but if my container restart the datas are still there.

I hope it will help !

@hayka-pacha commented on GitHub (Jun 1, 2024): Hi @sleao, I could connect on my RDS with `dburl:` as value in helm chart with this connexion string : `"postgres://<user>:<password>@<rds_endpoint>:5432/planka?sslmode=disable&connect_timeout=10"` My settings form RDS is just adding a custom parameter group with `rds.force_ssl=0` and restart the RDS for apply the changes. Check this [link](https://stackoverflow.com/questions/76899023/rds-while-connection-error-no-pg-hba-conf-entry-for-host) for more informations. After that, just got `(process:20): VIPS-WARNING **: 13:11:31.773: threads clipped to 1024` but if my container restart the datas are still there. I hope it will help !
OVERLORD commented 2026-02-04 19:53:45 +03:00
Author
Owner
Copy Link

@AlexShku commented on GitHub (Aug 6, 2024):

Hello! I have the similar issue. I'm trying to install on ECS Fargate. https://github.com/plankanban/planka/discussions/841
Tried different options иге can not connect to RDS and my log is empty. All security groups are open for all traffic.

@AlexShku commented on GitHub (Aug 6, 2024): Hello! I have the similar issue. I'm trying to install on ECS Fargate. https://github.com/plankanban/planka/discussions/841 Tried different options иге can not connect to RDS and my log is empty. All security groups are open for all traffic.
OVERLORD commented 2026-02-04 19:53:55 +03:00
Author
Owner
Copy Link

@sleao commented on GitHub (Aug 12, 2024):

Besides the idea @whims-services gave, which is a big no no for me, I couldn't figure this one out and ended giving up on settings this up. I spent hours reading every doc from the libs planka uses to connect to postgres and couldn't figure out what was going wrong.

The error looks the same as if you weren't actually using SSL, but even with hardcoded options, it would still fail to connect. You can try and setup your own Postgres with docker, I guess.

@sleao commented on GitHub (Aug 12, 2024): Besides the idea @whims-services gave, which is a big no no for me, I couldn't figure this one out and ended giving up on settings this up. I spent hours reading every doc from the libs planka uses to connect to postgres and couldn't figure out what was going wrong. The error looks the same as if you weren't actually using SSL, but even with hardcoded options, it would still fail to connect. You can try and setup your own Postgres with docker, I guess.
OVERLORD commented 2026-02-04 19:53:58 +03:00
Author
Owner
Copy Link

@sgkohata commented on GitHub (Jan 7, 2025):

&sslrootcert=/var/www/planka/server/ap-northeast-1-bundle.pem

npm run db:init -> success
npm start --prod -> error

2025-01-07 00:47:02 [E] A hook (orm) failed to load!
2025-01-07 00:47:02 [E] Failed to lift app: getConnection failed ("failed"). Could not acquire a connection to the database using the specified manager.
Additional data:

{
error: Error: self-signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)
at TLSSocket.emit (node:events:517:28)
at TLSSocket._finishInit (node:_tls_wrap:1070:8)
at ssl.onhandshakedone (node:_tls_wrap:856:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
},
meta: undefined
}
2025-01-07 00:47:02 [E] More details (raw):

@sgkohata commented on GitHub (Jan 7, 2025): &sslrootcert=/var/www/planka/server/ap-northeast-1-bundle.pem npm run db:init -> success npm start --prod -> error 2025-01-07 00:47:02 [E] A hook (`orm`) failed to load! 2025-01-07 00:47:02 [E] Failed to lift app: `getConnection` failed ("failed"). Could not acquire a connection to the database using the specified manager. Additional data: { error: Error: self-signed certificate in certificate chain at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34) at TLSSocket.emit (node:events:517:28) at TLSSocket._finishInit (node:_tls_wrap:1070:8) at ssl.onhandshakedone (node:_tls_wrap:856:12) { code: 'SELF_SIGNED_CERT_IN_CHAIN' }, meta: undefined } 2025-01-07 00:47:02 [E] More details (raw):
OVERLORD commented 2026-02-04 19:54:12 +03:00
Author
Owner
Copy Link

@umut-akkaya commented on GitHub (Mar 5, 2025):

You can bypass the verification of self-signed certificates by setting NODE_TLS_REJECT_UNAUTHORIZED to 0. However this is not optimal and secure approach. I think planka should support the AWS created RDS certificates. @daniel-hiller @meltyshev

@umut-akkaya commented on GitHub (Mar 5, 2025): You can bypass the verification of self-signed certificates by setting `NODE_TLS_REJECT_UNAUTHORIZED` to `0`. However this is not optimal and secure approach. I think planka should support the AWS created RDS certificates. @daniel-hiller @meltyshev
OVERLORD commented 2026-02-04 19:54:22 +03:00
Author
Owner
Copy Link

@sleao commented on GitHub (Mar 21, 2025):

I haven't tested this yet, because I gave up on setting this up. But I have a theory that might help if anyone finds this Issue and is willing to try. You need to setup a custom domain for RDS using a Network Load Balancer, probably the same way they instruct to do here.

You can then generate a SSL certificate for the custom domain using something like Certbot and assign that certificate to the network load balancer and it should work. As I said, I haven't tested it, but it makes sense.

@sleao commented on GitHub (Mar 21, 2025): I haven't tested this yet, because I gave up on setting this up. But I have a theory that might help if anyone finds this Issue and is willing to try. You need to setup a custom domain for RDS using a Network Load Balancer, probably the same way they instruct to do [here](https://aws.amazon.com/pt/blogs/compute/creating-static-custom-domain-endpoints-with-amazon-mq/). You can then generate a SSL certificate for the custom domain using something like Certbot and assign that certificate to the network load balancer and it should work. As I said, I haven't tested it, but it makes sense.
OVERLORD commented 2026-02-04 19:54:27 +03:00
Author
Owner
Copy Link

@sgkohata commented on GitHub (Mar 21, 2025):

Success.
get https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
->save anywhere

.env
DATABASE_URL=postgresql://{user}:{pass}@{aws.rds}/{database}?ssl=true&sslmode=prefer&sslcert={your.crt}&sslkey={your.key}&sslrootcert={path}/global-bundle.pem

Now can connect to aws postgresql16.6

@sgkohata commented on GitHub (Mar 21, 2025): Success. get https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem ->save anywhere .env DATABASE_URL=postgresql://{user}:{pass}@{aws.rds}/{database}?ssl=true&sslmode=prefer&sslcert={your.crt}&sslkey={your.key}&sslrootcert={path}/global-bundle.pem Now can connect to aws postgresql16.6
OVERLORD commented 2026-02-04 19:54:35 +03:00
Author
Owner
Copy Link

@madduck commented on GitHub (Jun 5, 2025):

I am failing at this. I've tried setting that KNEX variable, and removing all ssl* parameters from the connection string. Unfortunately, this still either yields a self-signed certificate error, or tries to access the database without SSL (which the database rejects).

I've also tried:

postgresql://planka:password@postgres/planka?sslmode=require&sslrootcert=/etc/ssl/certs/postgres.pem&ssl=true

but again, the connection is rejected by the database for now using SSL.

I can connect using psql just fine.

@madduck commented on GitHub (Jun 5, 2025): I am failing at this. I've tried setting that KNEX variable, and removing all `ssl*` parameters from the connection string. Unfortunately, this still either yields a self-signed certificate error, or tries to access the database without SSL (which the database rejects). I've also tried: ``` postgresql://planka:password@postgres/planka?sslmode=require&sslrootcert=/etc/ssl/certs/postgres.pem&ssl=true ``` but again, the connection is rejected by the database for now using SSL. I can connect using psql just fine.
OVERLORD commented 2026-02-04 19:54:41 +03:00
Author
Owner
Copy Link

@shimisnow commented on GitHub (Jan 5, 2026):

@madduck Try this:

- DATABASE_URL=postgresql://user:$${DATABASE_PASSWORD}@database.domain:5432/planka?ssl=true
- DATABASE_PASSWORD__FILE=/run/secrets/PLANKA_DATABASE_PASSWORD
- PGSSLMODE=require
- NODE_EXTRA_CA_CERTS=/path/to/root_ca.crt
- KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

It was the only way I get to use self-signed cert with a Postgres that only accepts SSL (no fallback)

@shimisnow commented on GitHub (Jan 5, 2026): @madduck Try this: ```yml - DATABASE_URL=postgresql://user:$${DATABASE_PASSWORD}@database.domain:5432/planka?ssl=true - DATABASE_PASSWORD__FILE=/run/secrets/PLANKA_DATABASE_PASSWORD - PGSSLMODE=require - NODE_EXTRA_CA_CERTS=/path/to/root_ca.crt - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false ``` It was the only way I get to use self-signed cert with a Postgres that only accepts SSL (no fallback)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#489
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?