Unable to connect to Heroku postgres from outside of Heroku

[thiago-soliveira]

In order to connect to Heroku postgres from outside of Heroku we need to use SSL.

So, I'm getting the following message when trying to connect typeorm to the Heroku postgres.

"message": "no pg_hba.conf entry for host "xxx", user "xxx", database "xxx", SSL off"

I believe this is happening because the postgres driver is trying to connect without SSL. If I'm correct, how can I tell the sql driver to use SSL.

[pleerock]

Solution is here. To do so in typeorm you need to provide option in special "extra" section of connection options:

createConnection(
    driver: {
        type: "postgres",
        host: "localhost",
        port: 5432,
        username: "root",
        password: "admin",
        database: "test",
        extra: {
             ssl: true
        }
    },);

[AngelMunoz]

hey sorry old issue, but how do you set this with .env file or env vars?

[pleerock]

You need to set

TYPEORM_DRIVER_EXTRA = {"ssl":true}

[AngelMunoz]

thanks it did work

[pie6k]

In my case:

1. put what you get from heroku config:get DATABASE_URL to your .env file (heroku will automatically add that to process.env

2. connect with:

createConnection({
    url: process.env.DATABASE_URL,
    type: 'postgres',
    entities: [YOUR ENTITIES GO HERE],
    synchronize: true,
    extra: {
      ssl: true,
    },
  });

[N-CP]

I m trying to connect postgresql heroku to oracle sql developer. But i m getting the below error

message": "no pg_hba.conf entry for host "xxx", user "xxx", database "xxx", SSL off"

what could be the solution?
can anybody help me in this pls??

[jmaicaaan]

@N-CP, what is your ormconfig looks like?

[a1300]

For me it worked with:

createConnection({
    url: process.env.DATABASE_URL,
    type: 'postgres',
    entities: [YOUR ENTITIES GO HERE],
    synchronize: true,
+   ssl: true,
  });

[yaroslav-ilin]

I believe the original issue and the solutions (both JSON & env) has to be documented.

Would such pull request for docs website be accepted?

[Kononnable]

SSL options are already documented (https://github.com/typeorm/typeorm/blob/master/docs/connection-options.md). However if you find a good place to remind about that(common problem?) PR will be accepted.

[AllanPamplona-zz]

Also PGSSLMODE=require solves this problem.

[rakeshta]

For me it worked with:

createConnection({
    url: process.env.DATABASE_URL,
    type: 'postgres',
    entities: [YOUR ENTITIES GO HERE],
    synchronize: true,
+   ssl: true,
  });

worked for me too.

[idudinov]

hi there!
still don't able to connect to remote Heroku Postgres server from local machine, my config looks like:

const config: PostgresConnectionOptions = {
    ...baseConfig, // here're common settings
    url: process.env.DATABASE_URL, // got from DATABASE_URL config var in Heroku
    ssl: true, // double check
    extra: {
        ssl: true,
    },
};

also tried to set up PGSSLMODE=require as env var.

TypeORM in package.json:
"typeorm": "0.2.20"

getting the error:

Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

not sure what certificate should I use, or can I bypass it somehow?

thanks in advance!

[idudinov]

jeez it fails on Heroku as well!

UPDATE: sorry, false alarm! it's actually node-postgres issue: brianc/node-postgres#2009

[JakeSidSmith]

@idudinov

getting the error:

Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

not sure what certificate should I use, or can I bypass it somehow?

thanks in advance!

I've just run into this issue and it seems that node-postgres have added an option to disable rejecting unauthorized connections. I don't think this is safe to run in production though. I'm just using it to run my migrations.

I believe the ideal solution is to get a new SSL certificate, but for now I have:

  ssl: true,
  extra: {
    ssl: {
      rejectUnauthorized: false,
    },
  },

[aliskhanoff]

@idudinov

getting the error:

Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

not sure what certificate should I use, or can I bypass it somehow?
thanks in advance!

I've just run into this issue and it seems that node-postgres have added an option to disable rejecting unauthorized connections. I don't think this is safe to run in production though. I'm just using it to run my migrations.

I believe the ideal solution is to get a new SSL certificate, but for now I have:

  ssl: true,
  extra: {
    ssl: {
      rejectUnauthorized: false,
    },
  },

it works for me. Thanks!

[italodeandra]

What fixed for me while using Postgres from Heroku was only adding the following environment variable:

PGSSLMODE=no-verify

[Haple]

What worked for me:

{
...
    "password": ...,
    "database": ...,
    "ssl": {
        "rejectUnauthorized": false,
    },
...
}

[kvarela]

What worked for me:

{
...
    "password": ...,
    "database": ...,
    "ssl": {
        "rejectUnauthorized": false,
    },
...
}

Yes, this for me also, AND I had to REMOVE:

{
  extra: {
    ssl: true
  }
}

What a PITA

[altschuler]

If, like me, you added ?ssl=true to the url, then the rejectUnauthorized wont work. You need to either remove the ssl param from the URL or set it to ssl=no-verify in which case you can remove the ssl options from the typeorm config altogether. Found the answer here brianc/node-postgres#2009 (comment)

[agilatakishiyev]

@idudinov

getting the error:

Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

not sure what certificate should I use, or can I bypass it somehow?
thanks in advance!

I've just run into this issue and it seems that node-postgres have added an option to disable rejecting unauthorized connections. I don't think this is safe to run in production though. I'm just using it to run my migrations.

I believe the ideal solution is to get a new SSL certificate, but for now I have:

  ssl: true,
  extra: {
    ssl: {
      rejectUnauthorized: false,
    },
  },

thanks a lot it worked for me too
i was using typeorm and nest.js and i was getting this error while connecting a database located in digitalocean

[benjaminudoh10]

@idudinov

getting the error:

Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

not sure what certificate should I use, or can I bypass it somehow?
thanks in advance!

I've just run into this issue and it seems that node-postgres have added an option to disable rejecting unauthorized connections. I don't think this is safe to run in production though. I'm just using it to run my migrations.

I believe the ideal solution is to get a new SSL certificate, but for now I have:

  ssl: true,
  extra: {
    ssl: {
      rejectUnauthorized: false,
    },
  },

Thank you so much for this. I have searched everywhere. All the solutions on this thread did not work for me except this.

Thanks again.

[JakeSidSmith]

@idudinov

getting the error:

Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'
}

not sure what certificate should I use, or can I bypass it somehow?
thanks in advance!

I've just run into this issue and it seems that node-postgres have added an option to disable rejecting unauthorized connections. I don't think this is safe to run in production though. I'm just using it to run my migrations.

I believe the ideal solution is to get a new SSL certificate, but for now I have:

  ssl: true,
  extra: {
    ssl: {
      rejectUnauthorized: false,
    },
  },

Just as a follow up, since Heroku enforced SSL for all postgres connections the above is the solution they recommend.

So I guess it is safe for production. 😊

[revskill10]

Guys, the issue is in the PGSSLMODE=no-verify combined with

extra: {
    ssl: {
      rejectUnauthorized: false,
    },
  },

[lenybernard]

I resolve my issue by setting NODE_TLS_REJECT_UNAUTHORIZED=0 to heroku env vars (see https://stackoverflow.com/a/45088585).

This was not a typeorm issue, it's because heroku use self signed certificates.