如何帮助 Vapor 成功与我的 PostgreSQL 服务器进行 SSL 握手?
[英]How can I help Vapor successfully SSL-handshake my PostgreSQL server?
问题描述
I'm using Vapor on a Ubuntu server to connect to my DigitalOcean-managed PostgreSQL database.
我在 Ubuntu 服务器上使用 Vapor 连接到我的 DigitalOcean 管理的 PostgreSQL 数据库。
From the command-line, running the following works fine:从命令行,运行以下工作正常:
psql postgresql://user:password@host:port/dbname?sslmode=require
But running the equivalent with the following code gives me:但是使用以下代码运行等效项给了我:
Fatal error: Error raised at top level: NIOOpenSSL.NIOOpenSSLError.handshakeFailed(NIOOpenSSL.OpenSSLError.sslError([Error: 337047686 error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed])): file /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/swift/stdlib/public/core/ErrorType.swift, line 200
Here is the code:这是代码:
let postgres = PostgreSQLDatabase(config: PostgreSQLDatabaseConfig(
hostname: Environment.get("POSTGRESQL_HOSTNAME")!,
port: Int(Environment.get("POSTGRESQL_PORT")!)!,
username: Environment.get("POSTGRESQL_USERNAME")!,
database: Environment.get("POSTGRESQL_DATABASE")!,
password: Environment.get("POSTGRESQL_PASSWORD")!,
transport: .standardTLS
))
Switching the transport argument to .unverifiedTLS works.将传输参数切换为.unverifiedTLS有效。
I need help to let Vapor work out the SSL connection fine, but I have no idea where to start.我需要帮助让 Vapor 很好地解决 SSL 连接,但我不知道从哪里开始。
1 个解决方案
解决方案1
0 2021-12-04 00:07:59
I recently got this working with Vapor 4 and MySQL on Digital Ocean, I suspect the same will work for PostgreSQL.我最近在 Digital Ocean 上使用了 Vapor 4 和 MySQL,我怀疑这同样适用于 PostgreSQL。 The main bit was configuring Vapor to trust Digital Ocean's certificate.主要的一点是配置 Vapor 以信任 Digital Ocean 的证书。
Download the CA certificate from the managed database dashboard on Digital Ocean (the connection details section) .
从 Digital Ocean 上的托管数据库仪表板下载 CA 证书(连接详细信息部分) 。Configure the database
tlsConfigurataionto trust that certificate.配置数据库tlsConfigurataion以信任该证书。 Here's an example of what that could look like:下面是一个示例:
import NIOSSL
public func configure(_ app: Application) throws {
app.databases.use(.postgres(
hostname: Environment.get("DATABASE_HOST") ?? "localhost",
port: Environment.get("DATABASE_PORT").flatMap(Int.init(_:)) ?? PostgresConfiguration.ianaPortNumber,
username: Environment.get("DATABASE_USERNAME") ?? "vapor_username",
password: Environment.get("DATABASE_PASSWORD") ?? "vapor_password",
database: Environment.get("DATABASE_NAME") ?? "vapor_database",
tlsConfiguration: try makeTlsConfiguration()
), as: .psql)
// ...
}
private func makeTlsConfiguration() throws -> TLSConfiguration {
var tlsConfiguration = TLSConfiguration.makeClientConfiguration()
if let certPath = Environment.get("DATABASE_SSL_CERT_PATH") {
tlsConfiguration.trustRoots = NIOSSLTrustRoots.certificates(
try NIOSSLCertificate.fromPEMFile(certPath)
)
}
return tlsConfiguration
}
In this example, I use the DATABASE_SSL_CERT_PATH environment variable to set the path of the downloaded ca-certificate.crt file.在这个例子中,我使用DATABASE_SSL_CERT_PATH环境变量来设置下载的ca-certificate.crt文件的路径。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.