How to set SSL options correctly when connecting to Heroku postgres db?

tomwang57 · November 2, 2023, 4:38am

I recently upgraded Phoenix to the newest version(1.7.7) and Ecto was also upgraded to 3.10.3. Before upgrading, when connecting to Heroku pg, i just set SSL: true and the connection is OK:

config :abc, abc.Repo,
  url: System.get_env("DATABASE_URL"),
  pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10"),
  ssl: true

After upgrading, it failed with the following messages:

[error] Postgrex.Protocol (#PID<0.2449.0>) failed to connect: ** (DBConnection.ConnectionError) ssl connect: Options (or their values) can not be combined: [{verify,verify_peer},
                                                {cacerts,undefined}] - {:options, :incompatible, [verify: :verify_peer, cacerts: :undefined]}

It seemed more options were needed now. There are a lot options and i can’t find some examples about how to set them. By the way, Heroku pg mandated the SSL option set, so i can’t remove it. Anyone one runs into same problem?

krns · November 2, 2023, 5:27am

Do you also upgraded to OTP 26? Because OTP 26 has some safer ssl defaults:

In OTP 26, the default value for the verify option is now verify_peer instead of verify_none. Host verification requires trusted CA certificates to be supplied using one of the options cacerts or cacertsfile.

You could get the old behaviour with the following configuration:

config :abc, abc.Repo,
  [...]
  ssl_opts: [verify: :verify_none]