Warning: setting ssl: true on your database connection offers only limited protection, as the server's certificate is not verified. Set "ssl: [cacertfile: path/to/file]" instead

moxley · August 11, 2024, 6:29pm

My application recently upgraded to elixir 1.17 and Erlang/OTP 27.0. It connects to a DigitalOcean managed PostgreSQL cluster.

Now, each time I deploy, this warning log message shows up in my application’s logs:

setting ssl: true on your database connection offers only limited protection, as the server's certificate is not verified. Set "ssl: [cacertfile: path/to/file]" instead

There was a recent change in OTP’s ssl configuration defaults, where it now defaults with verify: :verify_peer instead of verify: :verify_none.

The solution seemed straightforward: I need to either pass the verify: :verify_none ssl option, or profile a CA cert file. I tried both of these solutions, and nothing changed. The same warning message appears.

Here’s my Repo’s configuration with the cacertfile option:

iex> MyApp.Repo.config()
[
  telemetry_prefix: [:myapp, :repo],
  otp_app: :myapp,
  timeout: 15000,
  start_apps_before_migration: [:logger_json],
  adapter: Ecto.Adapters.Postgres,
  database: "...",
  username: "...",
  password: "...",
  hostname: "...",
  port: 25060,
  ssl: true,
  ssl_opts: [
    verify: :verify_peer,
    cacertfile: "/home/app/db-ca-certificate.crt"
  ],
  pool_size: 10
]

According to the ecto_sql docs, the ssl_opts is what you use to pass options to Erlang’s ssl module.

I also tried passing the cacertfile path as a charlist instead of a string, but that made no difference.

seeplusplus · August 12, 2024, 4:25pm

I may be missing something, but the link to the docs you posted doesn’t mention an :ssl_opts key. I think you need to pass that list of options to :ssl.

moxley · August 12, 2024, 4:50pm

The docs were just updated after a made my original post. Here are the docs that show the :ssl_opts option: Ecto.Adapters.Postgres — Ecto SQL v3.11.3. The CHANGELOG makes no mention of the documentation change, but here is the PR that changed the documentation.

I’ll try the :ssl option now…

seeplusplus · August 12, 2024, 4:55pm

Looks like OP in that issue linked to another issue that is similar to yours:

github.com/elixir-ecto/postgrex

Set "ssl: [cacertfile: path/to/file]" instead

opened 07:47AM - 20 Jun 24 UTC

closed 07:50AM - 20 Jun 24 UTC

dar-datsystems

Kind:Bug

### Elixir version 1.16.3 ### Database and Version PostrgeSQL 16 ### Postgre…x Version 0.18.0 ### Current behavior I am conecting to Neon with SSL and have 1 master and 1 read replica ``` for {repo, hostname} <- replicas do config :maverick, repo, username: System.get_env("NEON_DB_USER") || "postgres", password: System.get_env("NEON_DB_PASSWORD") || "postgres", hostname: hostname || "localhost", database: System.get_env("NEON_DB") || "maverick_dev", stacktrace: true, show_sensitive_data_on_connection_error: true, pool_size: 20, queue_target: 45_000, timeout: 60_000, connect_timeout: 60_000, ownership_timeout: 60_000, prepare: :unnamed, ssl: true, ssl_opts: [ server_name_indication: String.to_charlist(hostname) || ~c"localhost", cacertfile: CAStore.file_path(), verify_type: :verify_peer, customize_hostname_check: [ match_fun: :public_key.pkix_verify_hostname_match_fun(:https) ] ], socket_options: maybe_ipv6 end ``` I keep seeing below warning in the logs. ``` setting ssl: true on your database connection offers only limited protection, as the server's certificate is not verified. Set \"ssl: [cacertfile: path/to/file]\" instead" pid=#PID<0.3344.0> application=postgrex mfa=Postgrex.Protocol.connect/1 ``` ### Expected behavior As per the ecto postgres adapter docs the value for ssl is `true` or `false` and all options are to be passed in ssl_opts. Is there any change which is not reflected in the docs ?

If switching to :ssl doesn’t work, maybe try adding server_name_indication: false?

moxley · August 12, 2024, 5:15pm

The :ssl option works!

Here’s an edited version of what my configuration looks like:

config :myapp, MyApp.Repo,
  adapter: Ecto.Adapters.Postgres,
  database: "...",
  username: "...",
  password: "...",
  hostname: "...",
  port: 25060,
  ssl: [
    verify: :verify_peer,
    cacertfile: "/app/.postgres-cert.crt"
  ],
  pool_size: 20