Self Signed Certificate in Certificate Chain when upload data to Postgresql cloud database

Hi all,
I was playing around with Postgresql on my local network and everything went very well. Until I change the database to a cloud server, I receive the error: "Self Signed Certificate in Certificate Chain". I assume this is because the SSL is now true.

I have the certificate provided from the cloud server look like this:
image

Here is my very simple flow just to upload first data to the database:

So, how do I fix this error? Where can I insert my CA-certificate into the flow? Sorry, I'm completely new to networking and security functions.
I found some people suggesting disabling the authorization, but to keep the data safe, it is clearly not an ideal solution, right?

Also, I am using the: node-red-contrib-postgrestor-next
Node-red version: v2.0.5
Node.js version: v14.17.4

So when a certificate is created, it has a cascade of trust from a "Root Certificate Authority" or RootCA. Each step of the chain of certificates is "signed" by the parent. In this way you get a trusted certificate chain.

Now, if you create your own certificates locally using OpenSSL, you are using a "self-signed" certificate because you don't have a real RootCA.

So if you try and use such a certificate with a public service, the service will try to validate the chain because otherwise it cannot trust the certificate. With a self-signed cert, it cannot do this because it doesn't know about your pseudo-root.

There are various approaches to fixing this issue:

  • Get the service to ignore the error - really not a good idea because someone else could now pretend to be you.
  • Give the service a root CA to trust - while this works ok with local browsers, it generally won't be possible on cloud services unless you own the underlying infrastructure.
  • Get a "proper" certificate that has been signed by a RootCA that is widely recognised.

This last one is really the only viable choice. There are now several free services that will give you a certificate like this. However, most people are now using Let's Encrypt. There are a number of older threads in the forum that talk about LE and how to get Node-RED set up using LE certs and that may give you the clues you need to get your requirements working.

1 Like

Thank you for your reply, I learn something now.

Just to be specific, I am using Postgresql database on Digitalocean, which provided a RootCA to be downloaded.
image

I just don't know how to insert that certificate into Nodered. I'll look into old threads in the forum about LE, maybe I can get some ideal out of them.

Ah, OK so the other way around to what I was describing. Same principles except that you probably DO have control over your Node-RED server.

What platform are you using to run Node-RED?

It is running on Raspberry Pi, Linux 5.10.52-v7+ arm LE

node-red-contrib-digitaloak-postgresql (node) - Node-RED supports TLS - have you tried this node?

2 Likes

OK, so it is possible to load external custom root CA's into Linux. You would need to look it up.

But do try Steve's suggestion first as that is probably all you need.

1 Like

Thank you for the reply. After learning some TLS configuration, and trying @digitaloak/node-red-contrib-digitaloak-postgresql
I still have errors with authentication.
image


I uploaded the CA Certification
image

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.