So I have installed the Percona Postgres Operator and Distribution on Kubernetes. Everything works fine, I can do the check mentioned on their installation site by using the ssl certificate generated in the helm install process.
In my runtime.exs, I have this configuration for postgres:
config :core, Repo,
adapter: Ecto.Adapters.Postgres,
username: System.get_env("POSTGRES_USERNAME"),
password: System.get_env("POSTGRES_PASSWORD"),
database: System.get_env("POSTGRES_DB"),
hostname: System.get_env("POSTGRES_HOST"),
ssl_opts: [verify: :verify_peer, cacertfile: "./ca.crt",versions: [:"tlsv1.3"]],
ssl: true,
pool_size: 10
When I try to do mix ecto.create
, I get error:
08:47:41.422 [error] Postgrex.Protocol (#PID<0.2436.0>) failed to connect: ** (DBConnection.ConnectionError) ssl connect: TLS client: In state wait_cert at ssl_handshake.erl:2071 generated CLIENT ALERT: Fatal - Bad Certificate
Obviously, if I do verify: :verify_none, it works like a charm, but then I can put anything as the cacert and it works. I don’t understand this as this certificate works with the psql protocol. Can anyone explain this behavior and maybe think of a solution?
P.S.: I tried to add the ca.crt to the trusted certificates, but to no avail.