6

I am trying to put some fields in a Postgres database hosted on a Heroku app and it keeps returning this error:

Error: self signed certificate code: 'DEPTH_ZERO_SELF_SIGNED_CERT'

I have tried adding a key, certificate, and CA bundle but to no avail

Many StackOverflow questions with the same error say to set the variable rejectUnauthorized to false when making the http server. My question is how safe is this with a Postgres database on Heroku and would it pose any threat to the security of the database?

If the information helps I am using a node.js script to send the query to the database.

Improve this question
7
  • Where are you getting this error - on the Postgres server or the client application? How safe is it do disable certification validation depends on your environment and threats faced. If it is a production environment, then DO NOT.
    – bhorkarg
    CommentedApr 5, 2020 at 15:02
  • It's on the server side - from Heroku's logs
    – Phyrik
    CommentedApr 5, 2020 at 15:03
  • And it will be production so yeah, I'll try to look for other ways around it. Any idea what I could do?
    – Phyrik
    CommentedApr 5, 2020 at 15:04
  • Yep, please do not disable certificate validation in production. Have you tried using the NODE_EXTRA_CA_CERTS_FILE variable on nodejs side? nodejs.org/api/cli.html#cli_node_extra_ca_certs_file . Save the postgres server certificate file on the nodejs server and set that env variable.
    – bhorkarg
    CommentedApr 5, 2020 at 15:10
  • Would I just set that as an environment variable with the path to the certificate?
    – Phyrik
    CommentedApr 5, 2020 at 15:21

1 Answer 1

Reset to default
5

Heroku does not support client-side certificate validation to its Postgres databases unless you are using Private Spaces or Shield:

Unless you're using a Private or Shield Heroku Postgres database, Heroku Postgres does not currently support verifiable certificates.

My understanding is that in this case, the best you can do is:

  • Your connection is encrypted and you are protected from eavesdropping
  • Not protected against Man-In-The-Middle (MITM) attacks
ssl: { sslmode: 'require', rejectUnauthorized: false, }

This is the highest level without certificate validation, according to the table here:

enter image description here

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.