[Bug]: UNABLE_TO_VERIFY_LEAF_SIGNATURE while trying to use planka with external postgresql #801

New Issue

OVERLORD · 2026-02-04T21:22:29+03:00

OVERLORD commented

2026-02-04 21:22:29 +03:00

Originally created by @IeP4nieF on GitHub (Sep 2, 2025).

Where is the problem occurring?

I'm not sure

What browsers are you seeing the problem on?

Other

Current behavior

I'm trying to use planka with an external postgresql-server using SSL. The root-ceritifcate of the CA which created the certificate for the postgresql-server is stored in /app/public/favicons/root-ca.pem. Here my compose.yml:

services:
  planka:
    image: ghcr.io/plankanban/planka:2.0.0-rc.3
    container_name: planka
    restart: always
    volumes:
      - ./data/favicons:/app/public/favicons
      - ./data/user-avatars:/app/public/user-avatars
      - ./data/background-images:/app/public/background-images
      - ./data/attachments:/app/private/attachments
    environment:
      - BASE_URL=https://planka.<domain>
      - DATABASE_URL=postgres://planka:<securepostgrespw>@postgresql.<domain>/planka?ssl=true&sslrootcert=/app/public/favicons/root-ca.pem
      - SECRET_KEY=<verysecretkeyhere>
      - PGSSLMODE=require
      - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=true

After podman-compose up I get:

[planka] | 2025-09-02 13:40:57 [E] A hook (`orm`) failed to load!
[planka] | 2025-09-02 13:40:57 [E] Failed to lift app: `getConnection` failed ("failed").  Could not acquire a connection to the database using the specified manager.
[planka] | Additional data:
[planka] | 
[planka] | {
[planka] |   error: Error: unable to verify the first certificate
[planka] |       at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)
[planka] |       at TLSSocket.emit (node:events:519:28)
[planka] |       at TLSSocket._finishInit (node:_tls_wrap:1078:8)
[planka] |       at ssl.onhandshakedone (node:_tls_wrap:864:12) {
[planka] |     code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
[planka] |   },
[planka] |   meta: undefined
[planka] | }
[planka] | 2025-09-02 13:40:57 [E] More details (raw):

This happens also with nightly. As you can see I'm using podman instead of docker, but this should be no problem.

Desired behavior

planka-container should start and run without SSL error.

Steps to reproduce

Create compose.yml for use with external postgres-server and do podman-compose up (or docker-compose up).

Other information

No response

Originally created by @IeP4nieF on GitHub (Sep 2, 2025). ### Where is the problem occurring? I'm not sure ### What browsers are you seeing the problem on? Other ### Current behavior I'm trying to use planka with an external postgresql-server using SSL. The root-ceritifcate of the CA which created the certificate for the postgresql-server is stored in /app/public/favicons/root-ca.pem. Here my `compose.yml`: ``` services: planka: image: ghcr.io/plankanban/planka:2.0.0-rc.3 container_name: planka restart: always volumes: - ./data/favicons:/app/public/favicons - ./data/user-avatars:/app/public/user-avatars - ./data/background-images:/app/public/background-images - ./data/attachments:/app/private/attachments environment: - BASE_URL=https://planka.<domain> - DATABASE_URL=postgres://planka:<securepostgrespw>@postgresql.<domain>/planka?ssl=true&sslrootcert=/app/public/favicons/root-ca.pem - SECRET_KEY=<verysecretkeyhere> - PGSSLMODE=require - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=true ``` After `podman-compose up` I get: ``` [planka] | 2025-09-02 13:40:57 [E] A hook (`orm`) failed to load! [planka] | 2025-09-02 13:40:57 [E] Failed to lift app: `getConnection` failed ("failed"). Could not acquire a connection to the database using the specified manager. [planka] | Additional data: [planka] | [planka] | { [planka] | error: Error: unable to verify the first certificate [planka] | at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34) [planka] | at TLSSocket.emit (node:events:519:28) [planka] | at TLSSocket._finishInit (node:_tls_wrap:1078:8) [planka] | at ssl.onhandshakedone (node:_tls_wrap:864:12) { [planka] | code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' [planka] | }, [planka] | meta: undefined [planka] | } [planka] | 2025-09-02 13:40:57 [E] More details (raw): ``` This happens also with `nightly`. As you can see I'm using podman instead of docker, but this should be no problem. ### Desired behavior planka-container should start and run without SSL error. ### Steps to reproduce Create `compose.yml` for use with external postgres-server and do `podman-compose up` (or `docker-compose up`). ### Other information _No response_

OVERLORD added the help wanted label 2026-02-04 21:22:29 +03:00

OVERLORD commented

2026-02-04 21:22:33 +03:00

@shimisnow commented on GitHub (Jan 5, 2026):

I had a similar error. Try removing &sslrootcert=/app/public/favicons/root-ca.pem from DATABASE_URL and move it to NODE_EXTRA_CA_CERTS=app/public/favicons/root-ca.pem

@shimisnow commented on GitHub (Jan 5, 2026): I had a similar error. Try removing `&sslrootcert=/app/public/favicons/root-ca.pem` from `DATABASE_URL` and move it to `NODE_EXTRA_CA_CERTS=app/public/favicons/root-ca.pem`

OVERLORD commented

2026-02-04 21:22:38 +03:00

@IeP4nieF commented on GitHub (Jan 6, 2026):

@shimisnow: Thanks for the hint. But there is another problem with 2.0.0-rc.4 right now:

$ podman-compose up
[...]
[planka] | /app/node_modules/knex/lib/migrations/migrate/Migrator.js:567
[planka] |     throw new Error(
[planka] |           ^
[planka] | 
[planka] | Error: The migration directory is corrupt, the following files are missing: 20250603102521_canonicalize_locale_codes.js, 20250703122452_move_webhooks_configuration_from_environment_variable_to_ui.js, 20250708200908_persist_closed_state_per_card.js, 20250709160208_add_ability_to_link_tasks_to_cards.js, 20250721132312_add_ability_to_hide_completed_tasks.js, 20250728105713_add_legal_requirements.js, 20250820144730_track_storage_usage.js
[planka] |     at validateMigrationList (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:567:11)
[planka] |     at Migrator.latest (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:69:7)
[planka] |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[planka] |     at async /app/db/init.js:14:5
[planka] | 
[planka] | Node.js v18.20.8

So I have to wait for the next release first, before I can try your hint.

@IeP4nieF commented on GitHub (Jan 6, 2026): @shimisnow: Thanks for the hint. But there is another problem with `2.0.0-rc.4` right now: ``` $ podman-compose up [...] [planka] | /app/node_modules/knex/lib/migrations/migrate/Migrator.js:567 [planka] | throw new Error( [planka] | ^ [planka] | [planka] | Error: The migration directory is corrupt, the following files are missing: 20250603102521_canonicalize_locale_codes.js, 20250703122452_move_webhooks_configuration_from_environment_variable_to_ui.js, 20250708200908_persist_closed_state_per_card.js, 20250709160208_add_ability_to_link_tasks_to_cards.js, 20250721132312_add_ability_to_hide_completed_tasks.js, 20250728105713_add_legal_requirements.js, 20250820144730_track_storage_usage.js [planka] | at validateMigrationList (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:567:11) [planka] | at Migrator.latest (/app/node_modules/knex/lib/migrations/migrate/Migrator.js:69:7) [planka] | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) [planka] | at async /app/db/init.js:14:5 [planka] | [planka] | Node.js v18.20.8 ``` So I have to wait for the next release first, before I can try your hint.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#801