h4l/Terminal output

## deno-supabase.ts
// This program reproduces Deno / Deno's postgres library failing to connect to
// Supabase DBs with TLS enabled.

import * as postgres from "https://deno.land/x/postgres@v0.17.0/mod.ts";

// The CA provided by Supabase:
// https://supabase-downloads.s3-ap-southeast-1.amazonaws.com/prod/ssl/prod-ca-2021.crt
const CA_CERT = `\
-----BEGIN CERTIFICATE-----
MIIDxDCCAqygAwIBAgIUbLxMod62P2ktCiAkxnKJwtE9VPYwDQYJKoZIhvcNAQEL
BQAwazELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0RlbHdhcmUxEzARBgNVBAcMCk5l
dyBDYXN0bGUxFTATBgNVBAoMDFN1cGFiYXNlIEluYzEeMBwGA1UEAwwVU3VwYWJh
c2UgUm9vdCAyMDIxIENBMB4XDTIxMDQyODEwNTY1M1oXDTMxMDQyNjEwNTY1M1ow
azELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0RlbHdhcmUxEzARBgNVBAcMCk5ldyBD
YXN0bGUxFTATBgNVBAoMDFN1cGFiYXNlIEluYzEeMBwGA1UEAwwVU3VwYWJhc2Ug
Um9vdCAyMDIxIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQXW
QyHOB+qR2GJobCq/CBmQ40G0oDmCC3mzVnn8sv4XNeWtE5XcEL0uVih7Jo4Dkx1Q
DmGHBH1zDfgs2qXiLb6xpw/CKQPypZW1JssOTMIfQppNQ87K75Ya0p25Y3ePS2t2
GtvHxNjUV6kjOZjEn2yWEcBdpOVCUYBVFBNMB4YBHkNRDa/+S4uywAoaTWnCJLUi
cvTlHmMw6xSQQn1UfRQHk50DMCEJ7Cy1RxrZJrkXXRP3LqQL2ijJ6F4yMfh+Gyb4
O4XajoVj/+R4GwywKYrrS8PrSNtwxr5StlQO8zIQUSMiq26wM8mgELFlS/32Uclt
NaQ1xBRizkzpZct9DwIDAQABo2AwXjALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFKjX
uXY32CztkhImng4yJNUtaUYsMB8GA1UdIwQYMBaAFKjXuXY32CztkhImng4yJNUt
aUYsMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAB8spzNn+4VU
tVxbdMaX+39Z50sc7uATmus16jmmHjhIHz+l/9GlJ5KqAMOx26mPZgfzG7oneL2b
VW+WgYUkTT3XEPFWnTp2RJwQao8/tYPXWEJDc0WVQHrpmnWOFKU/d3MqBgBm5y+6
jB81TU/RG2rVerPDWP+1MMcNNy0491CTL5XQZ7JfDJJ9CCmXSdtTl4uUQnSuv/Qx
Cea13BX2ZgJc7Au30vihLhub52De4P/4gonKsNHYdbWjg7OWKwNv/zitGDVDB9Y2
CMTyZKG3XEu5Ghl1LEnI3QmEKsqaCLv12BnVjbkSeZsMnevJPs1Ye6TjjJwdik5P
o/bKiIz+Fq8=
-----END CERTIFICATE-----
`;

const client = new postgres.Client({
  hostname: Deno.env.get("POSTGRES_HOSTNAME")!,
  database: Deno.env.get("POSTGRES_DATABASE") || "postgres",
  port: Deno.env.get("POSTGRES_PORT") || 5432,
  user: Deno.env.get("POSTGRES_USER") || "postgres",
  password: Deno.env.get("POSTGRES_PASSWORD")!,
  tls: {
    caCertificates: [CA_CERT],
    // This is false by default, so the connection will be made without TLS if
    // a connection with TLS cannot be established.
    enforce: (Deno.env.get("ENFORCE_TLS") || "true") === "true",
  },
});

await client.connect();
try {
  console.log((await client.queryObject("SELECT true;")).rows[0]);
} finally {
  client.end();
}

## Terminal output
$ export POSTGRES_HOSTNAME=db.XXXX.supabase.co
$  export POSTGRES_PASSWORD=XXXX

$ deno run --allow-env --allow-net deno-supabase.ts
Sending fatal alert BadCertificate
error: Uncaught (in promise) Error: The certificate used to secure the TLS connection is invalid.
            throw new Error(
                  ^
    at Connection.#startup (https://deno.land/x/postgres@v0.17.0/connection/connection.ts:392:19)
    at async Connection.startup (https://deno.land/x/postgres@v0.17.0/connection/connection.ts:491:11)
    at async Client.connect (https://deno.land/x/postgres@v0.17.0/client.ts:220:7)
    at async file:///workspace/deno-supabase.ts:45:1

$ ENFORCE_TLS=false deno run --allow-env --allow-net deno-supabase.ts
Sending fatal alert BadCertificate
TLS connection failed with message: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion
Defaulting to non-encrypted connection
{ bool: true }

$ deno --version
deno 1.27.0 (release, aarch64-unknown-linux-gnu)
v8 10.8.168.4
typescript 4.8.3
	// This program reproduces Deno / Deno's postgres library failing to connect to
	// Supabase DBs with TLS enabled.

	import * as postgres from "https://deno.land/x/postgres@v0.17.0/mod.ts";

	// The CA provided by Supabase:
	// https://supabase-downloads.s3-ap-southeast-1.amazonaws.com/prod/ssl/prod-ca-2021.crt
	const CA_CERT = `\
	-----BEGIN CERTIFICATE-----
	MIIDxDCCAqygAwIBAgIUbLxMod62P2ktCiAkxnKJwtE9VPYwDQYJKoZIhvcNAQEL
	BQAwazELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0RlbHdhcmUxEzARBgNVBAcMCk5l
	dyBDYXN0bGUxFTATBgNVBAoMDFN1cGFiYXNlIEluYzEeMBwGA1UEAwwVU3VwYWJh
	c2UgUm9vdCAyMDIxIENBMB4XDTIxMDQyODEwNTY1M1oXDTMxMDQyNjEwNTY1M1ow
	azELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0RlbHdhcmUxEzARBgNVBAcMCk5ldyBD
	YXN0bGUxFTATBgNVBAoMDFN1cGFiYXNlIEluYzEeMBwGA1UEAwwVU3VwYWJhc2Ug
	Um9vdCAyMDIxIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQXW
	QyHOB+qR2GJobCq/CBmQ40G0oDmCC3mzVnn8sv4XNeWtE5XcEL0uVih7Jo4Dkx1Q
	DmGHBH1zDfgs2qXiLb6xpw/CKQPypZW1JssOTMIfQppNQ87K75Ya0p25Y3ePS2t2
	GtvHxNjUV6kjOZjEn2yWEcBdpOVCUYBVFBNMB4YBHkNRDa/+S4uywAoaTWnCJLUi
	cvTlHmMw6xSQQn1UfRQHk50DMCEJ7Cy1RxrZJrkXXRP3LqQL2ijJ6F4yMfh+Gyb4
	O4XajoVj/+R4GwywKYrrS8PrSNtwxr5StlQO8zIQUSMiq26wM8mgELFlS/32Uclt
	NaQ1xBRizkzpZct9DwIDAQABo2AwXjALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFKjX
	uXY32CztkhImng4yJNUtaUYsMB8GA1UdIwQYMBaAFKjXuXY32CztkhImng4yJNUt
	aUYsMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAB8spzNn+4VU
	tVxbdMaX+39Z50sc7uATmus16jmmHjhIHz+l/9GlJ5KqAMOx26mPZgfzG7oneL2b
	VW+WgYUkTT3XEPFWnTp2RJwQao8/tYPXWEJDc0WVQHrpmnWOFKU/d3MqBgBm5y+6
	jB81TU/RG2rVerPDWP+1MMcNNy0491CTL5XQZ7JfDJJ9CCmXSdtTl4uUQnSuv/Qx
	Cea13BX2ZgJc7Au30vihLhub52De4P/4gonKsNHYdbWjg7OWKwNv/zitGDVDB9Y2
	CMTyZKG3XEu5Ghl1LEnI3QmEKsqaCLv12BnVjbkSeZsMnevJPs1Ye6TjjJwdik5P
	o/bKiIz+Fq8=
	-----END CERTIFICATE-----
	`;

	const client = new postgres.Client({
	hostname: Deno.env.get("POSTGRES_HOSTNAME")!,
	database: Deno.env.get("POSTGRES_DATABASE") \|\| "postgres",
	port: Deno.env.get("POSTGRES_PORT") \|\| 5432,
	user: Deno.env.get("POSTGRES_USER") \|\| "postgres",
	password: Deno.env.get("POSTGRES_PASSWORD")!,
	tls: {
	caCertificates: [CA_CERT],
	// This is false by default, so the connection will be made without TLS if
	// a connection with TLS cannot be established.
	enforce: (Deno.env.get("ENFORCE_TLS") \|\| "true") === "true",
	},
	});

	await client.connect();
	try {
	console.log((await client.queryObject("SELECT true;")).rows[0]);
	} finally {
	client.end();
	}
	$ export POSTGRES_HOSTNAME=db.XXXX.supabase.co
	$ export POSTGRES_PASSWORD=XXXX

	$ deno run --allow-env --allow-net deno-supabase.ts
	Sending fatal alert BadCertificate
	error: Uncaught (in promise) Error: The certificate used to secure the TLS connection is invalid.
	throw new Error(
	^
	at Connection.#startup (https://deno.land/x/postgres@v0.17.0/connection/connection.ts:392:19)
	at async Connection.startup (https://deno.land/x/postgres@v0.17.0/connection/connection.ts:491:11)
	at async Client.connect (https://deno.land/x/postgres@v0.17.0/client.ts:220:7)
	at async file:///workspace/deno-supabase.ts:45:1

	$ ENFORCE_TLS=false deno run --allow-env --allow-net deno-supabase.ts
	Sending fatal alert BadCertificate
	TLS connection failed with message: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion
	Defaulting to non-encrypted connection
	{ bool: true }

	$ deno --version
	deno 1.27.0 (release, aarch64-unknown-linux-gnu)
	v8 10.8.168.4
	typescript 4.8.3