TLS Error connecting to Azure PostgreSQL #28903
Description
Version: Deno 2.2.9 in official image
The following runs in container from image denoland/deno:debian-2.2.9 with added utilities.
This container runs in an Azure Kube cluster: AKS.
It tries to connect to a PostgreSQL DB (flex server).
From the same container, using the same credentials, and certificates, it fails with deno but succeeds with psql:
- deno
import postgres from "jsr:@oscar6echo/postgres@3.4.5-d";
import c from "./common/conf.ts";
const p_cert = Deno.env.get("REQUESTS_CA_BUNDLE");
const DENO_TLS_CA_STORE = Deno.env.get("DENO_TLS_CA_STORE");
const cert_str = Deno.readTextFileSync(`${p_cert}`).toString();
console.log({ p_cert, DENO_TLS_CA_STORE });
// ref: https://github.com/porsager/postgres?tab=readme-ov-file#connection-details
const pg_conn_params = {
host: c.PGHOST,
port: c.PGPORT,
database: c.PGDATABASE,
username: c.PGUSERNAME,
password: c.PGPASSWORD,
ssl: true,
// using the below instead of ssl=true produces the same error
// ref https://github.com/porsager/postgres/issues/571#issuecomment-1476982783
// ssl: {
// rejectUnauthorized: false,
// caCerts: [cert_str],
// },
debug: true,
};
console.log({ pg_conn_params });
console.log({ cert_str_len: cert_str.length });
const sql = postgres(pg_conn_params);
const query = sql`select version()`;
const output = await query;
console.log({ output });
sql.end();- psql
export PGURL="postgresql://$PGUSERNAME:$PGPASSWORD@$PGHOST:$PGPORT/$PGDATABASE"
psql $PGURL- output
# run deno => ERROR
myuser@deploy-pms-6db479bf75-lfgx5:/app/src$ deno run test-conn
Task test-conn deno run -NERW test-conn.ts
{
p_cert: "/etc/ssl/certs/ca-certificates.crt",
DENO_TLS_CA_STORE: "system"
}
{
pg_conn_params: {
host: "hostname-postgresql-on-azure.com",
port: 5432,
database: "my_db_name",
username: "my_db_username",
password: "xxxxxx",
ssl: true,
debug: true
}
}
{ cert_str_len: 451384 }
error: Uncaught (in promise) InvalidData: invalid peer certificate: NotValidForName
while ((result = socket.readyState === 'open' && await raw.read(b))) {
^
at async TlsConn.read (ext:deno_net/01_net.js:140:15)
at async success (https://jsr.io/@oscar6echo/postgres/3.4.5-d/polyfills.js:97:56)
# run psql => OK
myuser@deploy-pms-6db479bf75-lfgx5:/app/src$ psql $PGURL
psql (16.8 (Debian 16.8-1.pgdg120+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.
my_db_name=> I shall add that setting ssl to prefer or require leads to the same error.
If ssl is set to false the db does refuses the connection - as anticipated.
Is this issue well known ?
Is there a known workaround ?