Hello,
I’m testing the free tier to check if we can import our database before taking a paid plan.
Our application cannot connect to the database, because it uses a self-signed certificate. Also, it requires SSL connection, which is weird as forcing a self-signed certificate doesn’t protect against MITM anyway.
Is there a way to get a valid certificate for the database? Is that the case for paid plans?
If this is not available, it won’t be possible for us to go with Aiven.
Thank you.
Hi Elouan,
You can download the Aiven CA certificate on the service overview page, even for the free plan : Download CA certificates - Aiven
More info about SSL/TLS at Aiven can be found here https://docs.aiven.io/docs/platform/concepts/tls-ssl-certificates
With sslmode="verify-full" you can avoid MITM.
Hope this helps you !
Sebi
Thanks for the reply.
I haven’t been able to configure the various libraries we use to use the Aiven certificate authority. I probably don’t understand the format that is required by the different libraries. It kept saying that the connection was using a self-signed certificate.
For the record, we use the libraries pg (node-postgres) in JS, as a dependency of another tool, and databases (based on asyncpg) in Python.
I ended up disabling certificate check, which is insecure:
NODE_TLS_REJECT_UNAUTHORIZED=0ssl=require in keyword arguments when initializing the Databases class (passing it as a URL in the query string as ?sslmode=require or ?ssl=require is not supported by this library).I guess it will work out for now. Someone will have to tackle this problem again at some point though, since we need to have external connections to the database (these tools may not accept self-signed certificates at all…).
It would have worked out of the box if Aiven was using certificates signed by a trusted CA instead of their own, but I understand that it can be harder to set up (or costly if using Let’s Encrypt wildcard certificates is a no-go, for example if there is a need to avoid copying certificates on servers used by customers - though a load balancer could fix this issue).
Maybe some tools in other languages are made for passing a custom certificate authority, but what we use aren’t. It seems to be a common practice of using self-signed certificates with PostgreSQL servers, even for consumers. I’m disappointed with the situation.
Have you checked the doc about pg and nodejs ? It shows how to use the CA. Connect with NodeJS - Aiven
For Python, there is just a small note but maybe our PG expert @tibs_at_aiven could help on this.