mattermost-community/focalboard

Bug: `x509: certificate signed by unknown authority`

Open

#4,704 opened on Apr 7, 2023

View on GitHub
 (0 comments) (0 reactions) (0 assignees)TypeScript (26,187 stars) (2,542 forks)user submission
BugHelp WantedSev/2Up for grabs

Description

Overview

I'm running Focalboard in Kubernetes. My database is a separate Postgres 13 VM that uses a Let's Encrypt SSL certificate (setup like this).

I was stuck on Focalboard 7.5.2 for a while because of this bug. I just tried to upgrade to 7.8.4 and was met with the error below. This occurs on 7.9.3 also.

2023/04/07 18:09:59 readConfigFile
2023/04/07 18:09:59 {ServerRoot:http://localhost:8000 Port:8000 DBType:postgres DBConfigString:postgres://username:password@db05.internal.mydomain.com:5432/dbfocalboard?sslmode=verify-full&connect_timeout=10 DBTablePrefix: UseSSL:false SecureCookie:false WebPath:./pack FilesDriver:local FilesS3Config:{AccessKeyID: SecretAccessKey: Bucket: PathPrefix: Region: Endpoint: SSL:false SignV2:false SSE:false Trace:false Timeout:0} FilesPath:/data/files MaxFileSize:0 Telemetry:true TelemetryID: PrometheusAddress: WebhookUpdate:[] Secret: SessionExpireTime:2592000 SessionRefreshTime:18000 LocalOnly:false EnableLocalMode:true LocalModeSocketLocation:/var/tmp/focalboard_local.socket EnablePublicSharedBoards:false FeatureFlags:map[] EnableDataRetention:false DataRetentionDays:0 TeammateNameDisplay:username ShowEmailAddress:false ShowFullName:false AuthMode:native LoggingCfgFile: LoggingCfgJSON: AuditCfgFile: AuditCfgJSON: NotifyFreqCardSeconds:0 NotifyFreqBoardSeconds:0}
info  [2023-04-07 18:09:59.677 Z] Focalboard server                        caller="model/version.go:60" version=7.8.4 edition=linux build_number=dev build_date=n/a build_hash=6fc1d9f8db9d366a16cd0ce18d34a5d7b8d5b1e5
error [2023-04-07 18:09:59.684 Z] Database Ping failed                     caller="server/server.go:220" error="x509: certificate signed by unknown authority"
fatal [2023-04-07 18:09:59.684 Z] server.NewStore ERROR                    caller="main/main.go:136" error="x509: certificate signed by unknown authority"
  main.main
      /go/src/focalboard/server/main/main.go:136
  runtime.main
      /usr/local/go/src/runtime/proc.go:250
  runtime.goexit
      /usr/local/go/src/runtime/asm_amd64.s:1571

I had to change sslmode=verify-full to sslmode=require to get Focalboard to start. From this page for the Go Postgres driver:

Valid values for sslmode are:

  • disable - No SSL
  • require - Always SSL (skip verification)
  • verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
  • verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)

It is now working with 7.8.4 and 7.9.3. Did something change with the included package of ca-certificates in the Docker image? The SSL cert I'm using is signed by Let's Encrypt, so it should be accepted everywhere...

Steps to reproduce the behavior

  1. Run Postgres in a separate VM using a Let's Encrypt SSL certificate
  2. Try to run Focalboard 7.8.4 in Docker using sslmode=verify-full in the Postgres connection string
  3. Error

Expected behavior

Focalboard should accept CA certificates from Let's Encrypt.

Screenshots (optional)

N/A

Edition and Platform

  • Edition: Personal Server
  • Version: 7.8.4
  • Browser and OS: Firefox+Chrome on Linux (Kubernetes)

Additional context (optional)

N/A

Contributor guide

Tech stack
gopostgresqldockerkubernetes
Domain
backenddatabasesecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
GoPostgreSQLSSL/TLS certificatesDocker
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the Docker image used by Focalboard to check if the ca certificates package is installed and up to date. Look at the Dockerfile and any base image configurations. Determine if the issue is due to missing Let's Encrypt root certificates or if the Go postgres driver's trust store needs to be configured. Consider adding a step to copy the host's CA certificates or using a different base image.