Error with Direct Database Connection with SSL on Digital Ocean

I’m quite sure the file path is: /app/ca-certificate.crt

So the key works in Wappler database manager but not in production? Did you upload the actual key to your server? I see that you tested most paths, normally when picking the file it should generate the correct path, you could try ./ca-certificate.crt as path.

Correct, database manager works. Production doesn’t (also not in the local docker environment) so I’m thinking the path set up in the database connection json file isn’t working.

I tried ./ca-certificate.crt when putting the file in the root of the project folder:

And by putting it in the /app/ folder:

With both paths/.ca-certificate.crt and /app/ca-certificate.crt

Given that I can find the file by using the docker CLI, I think it is uploaded?

Another idea I was thinking of: when googling the handshake error I found some people saying you need to update NPM. I tried that locally and by using the web terminal, otherwise it won’t work in the docker image (I’m guessing because of the wappler node14 dockercompose). Perhaps it has something to do with that?

I swear it was working 2 weeks ago, by just using the GUI. (I’m also back to using wappler 3.9.7 so I don’t think it’s a wappler 4 issue)

Any chance you can help me solve this? It feels insecure to not be using SSL now for the db. We are starting to get users :smiley:

Is the error still the same? Self signed certificates are not-trusted by default.

Thanks for coming back to this @patrick.

Yes still the same, just replicated again by doing the same steps that did make it work a long time ago:

The certificate is downloaded from digitalocean and does work when I connect to the db using DBeaver.

Tried a few other paths also:

This is the error:

{"status":"500","code":"HANDSHAKE_SSL_ERROR","message":"self signed certificate in certificate chain","stack":"Error: self signed certificate in certificate chain\n    at TLSSocket.<anonymous> (/opt/node_app/node_modules/mysql2/lib/connection.js:342:54)\n    at TLSSocket.emit (events.js:315:20)\n    at TLSSocket.EventEmitter.emit (domain.js:529:15)\n    at TLSSocket._finishInit (_tls_wrap.js:932:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)\n    at TLSWrap.callbackTrampoline (internal/async_hooks.js:131:14)"}

Can it have anything to do with Traefik? We changed some settings in there in the last few months.

The error is not that it can’t find the certificate, it does find it. The problem is that it is a self signed certificate that isn’t trusted.

Not sure if you are using docker or run it directly on digital ocean. When running directly on digital ocean then I would expect it to trust its own generated certificate. When running in docker you probably have to do some extra work to trust it.

An other solution is to ignore the untrusted certificate, add rejectUnauthorized: false to the ssl option.

Thanks Patrick (sorry I had notifications off)

  1. Yes using Docker
  2. You say it does find it - but I feel like that can’t be true, because I tried multiple paths and the error message stays the same. Is it possible all these paths work? If not then it’s producing that error without actually loading the certificate I guess

I have rejectUnauthorized: false on now by using 'default in wappler: image

I trust you blindly, is this safe enough? Your link is saying not to do this

I’d like to join in on this thread. I’m testing out Digital Ocean’s Managed database features. So I created a new project in Wappler: Docker with NodeJS, no db setup, yet.

  • I add a db according to steps in tutorial by using connection string (tried both Public network and VPC Network.
  • I also added my own ip to the trusted sources in DO (also did this for a droplet, that I want to use for this DB)
  • Get error about self signed certificate.
  • Try workaround by selecting Custom SSL profile and in my case point towards folder with .crt from DO download:

Any advice on how to properly connect to a DO managed DB?

PS: I just tried connecting to the managed db using DBeaver and it works perfectly with the same credentials and cert file. Great tool, btw!

1 Like

Do you have mySQL 8 selected for the DO db? image

This topic didn’t fix it for me either:

I added a user with the legacy mysql 5 password, but to no avail!

For a Direct Database Connection I see no option to select Database MySQL 8, I only see this for the default database connection in the project settings. This setting is on:

Here are my settings, this should work since it seems like we have the exact same setup.

  1. In my live production environment (because I still use the docker db for the local environment)
    Under server actions → globals → database connections → db
  2. Project settings keep it on none

Here is a thread where I went through the process of fixing it, in case you need more info Remote database with docker

@patrick the issue above still stands :smiley: : Error with Direct Database Connection with SSL on Digital Ocean

1 Like

Thanks for your reply, @karh! I checked things over again and it turns out that the fix mentioned in

Did fix my issue after all. Somehow the password encryption setting for my new legacy user did not persist and was still on MySQL 8+ mode. I have now successfully changed that to Legacy MySQL 5.x mode (mind you, the password will change upon this change) and now it works!

Super happy!

1 Like

So do you still use the default SSL setting, @karh? I tried the custom setting, but got the same error message as you did. Default settings fixes this, but does not use the certificate? I’m not sure I have enough knowledge of SSL to understand if that is a potential issue or not.

This reply by @George fixes this issue:

@jellederijke Setting the SSL settings to ‘default’

gives a false sense of security.

What it actually does is set

rejectUnauthorized: false which is not recommended for production environments according to the node package documentation

@patrick Any chance you can still take a look at this? Since now I’m not the only person producing the self signed certificate error (see NEED HELP!: Can't query DO managed database, data does show up in database manager)

1 Like

This has been fixed in Wappler 4.1.1

This topic was automatically closed after 25 hours. New replies are no longer allowed.