Bug: `x509: certificate signed by unknown authority` · mattermost-community/focalboard#4704

(0 评论) (0 反应) (0 负责人)TypeScript (26,187 star) (2,542 fork)user submission

BugHelp WantedSev/2Up for grabs

描述

Overview

I'm running Focalboard in Kubernetes. My database is a separate Postgres 13 VM that uses a Let's Encrypt SSL certificate (setup like this).

I was stuck on Focalboard 7.5.2 for a while because of this bug. I just tried to upgrade to 7.8.4 and was met with the error below. This occurs on 7.9.3 also.

2023/04/07 18:09:59 readConfigFile
2023/04/07 18:09:59 {ServerRoot:http://localhost:8000 Port:8000 DBType:postgres DBConfigString:postgres://username:password@db05.internal.mydomain.com:5432/dbfocalboard?sslmode=verify-full&connect_timeout=10 DBTablePrefix: UseSSL:false SecureCookie:false WebPath:./pack FilesDriver:local FilesS3Config:{AccessKeyID: SecretAccessKey: Bucket: PathPrefix: Region: Endpoint: SSL:false SignV2:false SSE:false Trace:false Timeout:0} FilesPath:/data/files MaxFileSize:0 Telemetry:true TelemetryID: PrometheusAddress: WebhookUpdate:[] Secret: SessionExpireTime:2592000 SessionRefreshTime:18000 LocalOnly:false EnableLocalMode:true LocalModeSocketLocation:/var/tmp/focalboard_local.socket EnablePublicSharedBoards:false FeatureFlags:map[] EnableDataRetention:false DataRetentionDays:0 TeammateNameDisplay:username ShowEmailAddress:false ShowFullName:false AuthMode:native LoggingCfgFile: LoggingCfgJSON: AuditCfgFile: AuditCfgJSON: NotifyFreqCardSeconds:0 NotifyFreqBoardSeconds:0}
info  [2023-04-07 18:09:59.677 Z] Focalboard server                        caller="model/version.go:60" version=7.8.4 edition=linux build_number=dev build_date=n/a build_hash=6fc1d9f8db9d366a16cd0ce18d34a5d7b8d5b1e5
error [2023-04-07 18:09:59.684 Z] Database Ping failed                     caller="server/server.go:220" error="x509: certificate signed by unknown authority"
fatal [2023-04-07 18:09:59.684 Z] server.NewStore ERROR                    caller="main/main.go:136" error="x509: certificate signed by unknown authority"
  main.main
      /go/src/focalboard/server/main/main.go:136
  runtime.main
      /usr/local/go/src/runtime/proc.go:250
  runtime.goexit
      /usr/local/go/src/runtime/asm_amd64.s:1571

I had to change sslmode=verify-full to sslmode=require to get Focalboard to start. From this page for the Go Postgres driver:

Valid values for sslmode are:

disable - No SSL

require - Always SSL (skip verification)

verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)

verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)

It is now working with 7.8.4 and 7.9.3. Did something change with the included package of ca-certificates in the Docker image? The SSL cert I'm using is signed by Let's Encrypt, so it should be accepted everywhere...

Steps to reproduce the behavior

Run Postgres in a separate VM using a Let's Encrypt SSL certificate
Try to run Focalboard 7.8.4 in Docker using sslmode=verify-full in the Postgres connection string
Error

Expected behavior

Focalboard should accept CA certificates from Let's Encrypt.

Screenshots (optional)

N/A

Edition and Platform

Edition: Personal Server
Version: 7.8.4
Browser and OS: Firefox+Chrome on Linux (Kubernetes)

Additional context (optional)

N/A

贡献者指南

技术栈: gopostgresqldockerkubernetes
领域: backenddatabasesecurity
议题类型: bug
难度: 3
预计时间: 1-3 hours
活动状态: fresh
清晰度: mostly clear
前置要求: GoPostgreSQLSSL/TLS certificatesDocker
新手友好度: 40
研究方向: Investigate the Docker image used by Focalboard to check if the ca certificates package is installed and up to date. Look at the Dockerfile and any base image configurations. Determine if the issue is due to missing Let's Encrypt root certificates or if the Go postgres driver's trust store needs to be configured. Consider adding a step to copy the host's CA certificates or using a different base image.