Created
November 7, 2022 19:45
-
-
Save h4l/5ccd0ae0e6685cec0185dc165716fd75 to your computer and use it in GitHub Desktop.
Supabase's TLS cert rejected as invalid by Deno
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// This program reproduces Deno / Deno's postgres library failing to connect to | |
// Supabase DBs with TLS enabled. | |
import * as postgres from "https://deno.land/x/postgres@v0.17.0/mod.ts"; | |
// The CA provided by Supabase: | |
// https://supabase-downloads.s3-ap-southeast-1.amazonaws.com/prod/ssl/prod-ca-2021.crt | |
const CA_CERT = `\ | |
-----BEGIN CERTIFICATE----- | |
MIIDxDCCAqygAwIBAgIUbLxMod62P2ktCiAkxnKJwtE9VPYwDQYJKoZIhvcNAQEL | |
BQAwazELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0RlbHdhcmUxEzARBgNVBAcMCk5l | |
dyBDYXN0bGUxFTATBgNVBAoMDFN1cGFiYXNlIEluYzEeMBwGA1UEAwwVU3VwYWJh | |
c2UgUm9vdCAyMDIxIENBMB4XDTIxMDQyODEwNTY1M1oXDTMxMDQyNjEwNTY1M1ow | |
azELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0RlbHdhcmUxEzARBgNVBAcMCk5ldyBD | |
YXN0bGUxFTATBgNVBAoMDFN1cGFiYXNlIEluYzEeMBwGA1UEAwwVU3VwYWJhc2Ug | |
Um9vdCAyMDIxIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQXW | |
QyHOB+qR2GJobCq/CBmQ40G0oDmCC3mzVnn8sv4XNeWtE5XcEL0uVih7Jo4Dkx1Q | |
DmGHBH1zDfgs2qXiLb6xpw/CKQPypZW1JssOTMIfQppNQ87K75Ya0p25Y3ePS2t2 | |
GtvHxNjUV6kjOZjEn2yWEcBdpOVCUYBVFBNMB4YBHkNRDa/+S4uywAoaTWnCJLUi | |
cvTlHmMw6xSQQn1UfRQHk50DMCEJ7Cy1RxrZJrkXXRP3LqQL2ijJ6F4yMfh+Gyb4 | |
O4XajoVj/+R4GwywKYrrS8PrSNtwxr5StlQO8zIQUSMiq26wM8mgELFlS/32Uclt | |
NaQ1xBRizkzpZct9DwIDAQABo2AwXjALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFKjX | |
uXY32CztkhImng4yJNUtaUYsMB8GA1UdIwQYMBaAFKjXuXY32CztkhImng4yJNUt | |
aUYsMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAB8spzNn+4VU | |
tVxbdMaX+39Z50sc7uATmus16jmmHjhIHz+l/9GlJ5KqAMOx26mPZgfzG7oneL2b | |
VW+WgYUkTT3XEPFWnTp2RJwQao8/tYPXWEJDc0WVQHrpmnWOFKU/d3MqBgBm5y+6 | |
jB81TU/RG2rVerPDWP+1MMcNNy0491CTL5XQZ7JfDJJ9CCmXSdtTl4uUQnSuv/Qx | |
Cea13BX2ZgJc7Au30vihLhub52De4P/4gonKsNHYdbWjg7OWKwNv/zitGDVDB9Y2 | |
CMTyZKG3XEu5Ghl1LEnI3QmEKsqaCLv12BnVjbkSeZsMnevJPs1Ye6TjjJwdik5P | |
o/bKiIz+Fq8= | |
-----END CERTIFICATE----- | |
`; | |
const client = new postgres.Client({ | |
hostname: Deno.env.get("POSTGRES_HOSTNAME")!, | |
database: Deno.env.get("POSTGRES_DATABASE") || "postgres", | |
port: Deno.env.get("POSTGRES_PORT") || 5432, | |
user: Deno.env.get("POSTGRES_USER") || "postgres", | |
password: Deno.env.get("POSTGRES_PASSWORD")!, | |
tls: { | |
caCertificates: [CA_CERT], | |
// This is false by default, so the connection will be made without TLS if | |
// a connection with TLS cannot be established. | |
enforce: (Deno.env.get("ENFORCE_TLS") || "true") === "true", | |
}, | |
}); | |
await client.connect(); | |
try { | |
console.log((await client.queryObject("SELECT true;")).rows[0]); | |
} finally { | |
client.end(); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ export POSTGRES_HOSTNAME=db.XXXX.supabase.co | |
$ export POSTGRES_PASSWORD=XXXX | |
$ deno run --allow-env --allow-net deno-supabase.ts | |
Sending fatal alert BadCertificate | |
error: Uncaught (in promise) Error: The certificate used to secure the TLS connection is invalid. | |
throw new Error( | |
^ | |
at Connection.#startup (https://deno.land/x/postgres@v0.17.0/connection/connection.ts:392:19) | |
at async Connection.startup (https://deno.land/x/postgres@v0.17.0/connection/connection.ts:491:11) | |
at async Client.connect (https://deno.land/x/postgres@v0.17.0/client.ts:220:7) | |
at async file:///workspace/deno-supabase.ts:45:1 | |
$ ENFORCE_TLS=false deno run --allow-env --allow-net deno-supabase.ts | |
Sending fatal alert BadCertificate | |
TLS connection failed with message: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion | |
Defaulting to non-encrypted connection | |
{ bool: true } | |
$ deno --version | |
deno 1.27.0 (release, aarch64-unknown-linux-gnu) | |
v8 10.8.168.4 | |
typescript 4.8.3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment