How to Connect to PostgreSQL with SSL in Quarkus

Question

I have an application based on quarkus. It needs to connect to database using SSL. I have specified the config as follows:

quarkus.datasource.db-kind=postgresql
quarkus.datasource.reactive.url=postgresql://ipaddress:5432/dbname?sslmode=verify-ca
quarkus.datasource.password=password
quarkus.datasource.username=username
quarkus.datasource.reactive.postgresql.ssl-mode=require
quarkus.datasource.reactive.trust-certificate-pem=true
quarkus.datasource.reactive.trust-certificate-pem.certs=certificates/cacertificate.pem,certificates/client.pem
quarkus.datasource.reactive.key-certificate-pem=true
quarkus.datasource.reactive.key-certificate-pem.keys=certificates/private_key.pem
quarkus.datasource.reactive.trust-all=true

However, I got the following error:

io.vertx.core.VertxException: io.vertx.core.VertxException: Missing X.509 certificate
        at io.vertx.core.net.impl.SSLHelper.createContext(SSLHelper.java:336)
        at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:511)
        at io.vertx.core.net.impl.SSLHelper.createEngine(SSLHelper.java:547)
        at io.vertx.core.net.impl.NetSocketImpl.upgradeToSsl(NetSocketImpl.java:307)
        at io.vertx.core.net.impl.NetSocketImpl.upgradeToSsl(NetSocketImpl.java:291)
        at io.vertx.pgclient.impl.InitiateSslHandler.channelRead(InitiateSslHandler.java:73)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792)
        at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.lang.Thread.run(Thread.java:750)
Caused by: io.vertx.core.VertxException: Missing X.509 certificate
        at io.vertx.core.net.impl.KeyStoreHelper.loadKeyCert(KeyStoreHelper.java:231)
        at io.vertx.core.net.PemKeyCertOptions.getHelper(PemKeyCertOptions.java:447)
        at io.vertx.core.net.PemKeyCertOptions.getKeyManagerFactory(PemKeyCertOptions.java:465)
        at io.vertx.core.net.impl.SSLHelper.getKeyMgrFactory(SSLHelper.java:341)
        at io.vertx.core.net.impl.SSLHelper.createContext(SSLHelper.java:286)

Did I make any mistake? How is the proper way to connect to database using SSL in quarkus?

Really appreciate any help. I have been stuck in this problem for days and I couldn't find any example in the quarkus homepage.

Many thanks!

I have made sure the certificate and key files (pem format) available in the specified directory. I am not sure how to tell my quarkus app which the cacertificate and client certificate to be used since the config name is pretty general. I expected the db is connected by only setting up that config and no further code should be added since the connection is handled by quarkus.

Answer 1

    quarkus.datasource.url=jdbc:postgresql://host:port/database?ssl=true&sslmode=require
quarkus.datasource.driver=org.postgresql.Driver
quarkus.datasource.username=username
quarkus.datasource.password=password

# SSL configuration
quarkus.datasource.ssl-mode=require
quarkus.datasource.ssl-factory=org.postgresql.ssl.NonValidatingFactory
quarkus.datasource.ssl-factory-arg=trustStorePath=/path/to/truststore.jks,trustStorePassword=password

To connect to a database using SSL in Quarkus, you can configure the connection properties for the database in the application.properties file. You will need to provide the necessary SSL properties such as the location of the truststore and keystore, and the passwords for those files.

The error message suggests that the X.509 certificate is missing. To fix this issue, ensure that the paths to the certificate files in the properties quarkus.datasource.reactive.trust-certificate-pem.certs and quarkus.datasource.reactive.key-certificate-pem.keys are correct, and that the files are accessible at those locations. It's also important to check that files contain the correct PEM formated certificate. Also, it's worth to double check that the certificate files are in the correct format and match the expected CA and client certificates.