PeerTube 3.1.0 can't connect to remote SSL PostgreSQL instance?

vermorel · Avril 16, 2021, 5:15

On Ubuntu 18.04, with PeerTube 3.1.0 with a remote PostgreSQL instance, when I run:

sudo journalctl -feu peertube

I am getting the error pasted below. The odd thing is that production.yaml specifies ssl: true however, the error message indicates SSL off. Also, the database host is specified as foobar.postgres.database.azure.com (but the address IP resolves to 40.127.XXX.YYY).

Indeed, the following works:

psql -h foobar.postgres.database.azure.com -p 5432 -U lokad peertube -W

But the following does not work:

psql -h 40.127.XXX.YYY -p 5432 -U lokad peertube -W

It’s seem that PeerTube does an IP resolution which prevent the SSL connection to work.

Can someone help be to get this working?

Best regards,
Joannes

Apr 16 15:53:12 tube-lokad systemd[1]: peertube.service: Service hold-off time over, scheduling restart. Apr 16 15:53:12 tube-lokad systemd[1]: peertube.service: Scheduled restart job, restart counter is at 133. Apr 16 15:53:12 tube-lokad systemd[1]: Stopped PeerTube daemon. Apr 16 15:53:12 tube-lokad systemd[1]: Started PeerTube daemon. Apr 16 15:53:12 tube-lokad peertube[2551]: > peertube@3.1.0 start /var/www/peertube/versions/peertube-v3.1.0 Apr 16 15:53:12 tube-lokad peertube[2551]: > node dist/server Apr 16 15:53:13 tube-lokad systemd[1]: Stopping PeerTube daemon... Apr 16 15:53:13 tube-lokad systemd[1]: Stopped PeerTube daemon. Apr 16 15:53:22 tube-lokad systemd[1]: Started PeerTube daemon. Apr 16 15:53:22 tube-lokad peertube[2618]: > peertube@3.1.0 start /var/www/peertube/versions/peertube-v3.1.0 Apr 16 15:53:22 tube-lokad peertube[2618]: > node dist/server Apr 16 15:53:25 tube-lokad peertube[2618]: [tube.lokad.com:443] 2021-04-16 15:53:25.187 warn: Emailer is disabled so the contact form will not work. Apr 16 15:53:25 tube-lokad peertube[2618]: [tube.lokad.com:443] 2021-04-16 15:53:25.634 error: Unable to connect to PostgreSQL database. { Apr 16 15:53:25 tube-lokad peertube[2618]: "err": { Apr 16 15:53:25 tube-lokad peertube[2618]: "stack": "SequelizeConnectionError: no pg_hba.conf entry for host \"40.127.XXX.YYY\", user \"lokad\", database \"peertube\", SSL off\n at Client._connectionCallback (/var/www/peertube/versions/peertube-v3.1.0/node_modules/sequelize/lib/dialects/postgres/connection-manager.js:184:24)\n at Client._handleErrorWhileConnecting (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg/lib/client.js:305:19)\n at Client._handleErrorMessage (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg/lib/client.js:325:19)\n at Connection.emit (events.js:314:20)\n at /var/www/peertube/versions/peertube-v3.1.0/node_modules/pg/lib/connection.js:115:12\n at Parser.parse (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg-protocol/dist/parser.js:40:17)\n at Socket.<anonymous> (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg-protocol/dist/index.js:10:42)\n at Socket.emit (events.js:314:20)\n at addChunk (_stream_readable.js:297:12)\n at readableAddChunk (_stream_readable.js:272:9)\n at Socket.Readable.push (_stream_readable.js:213:10)\n at TCP.onStreamRead (internal/stream_base_commons.js:188:23)", Apr 16 15:53:25 tube-lokad peertube[2618]: "message": "no pg_hba.conf entry for host \"40.127.111.54\", user \"lokad\", database \"peertube\", SSL off", Apr 16 15:53:25 tube-lokad peertube[2618]: "name": "SequelizeConnectionError", Apr 16 15:53:25 tube-lokad peertube[2618]: "parent": { Apr 16 15:53:25 tube-lokad peertube[2618]: "stack": "error: no pg_hba.conf entry for host \"40.127.111.54\", user \"lokad\", database \"peertube\", SSL off\n at Parser.parseErrorMessage (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg-protocol/dist/parser.js:278:15)\n at Parser.handlePacket (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg-protocol/dist/parser.js:126:29)\n at Parser.parse (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg-protocol/dist/parser.js:39:38)\n at Socket.<anonymous> (/var/www/peertube/versions/peertube-v3.1.0/node_modules/pg-protocol/dist/index.js:10:42)\n at Socket.emit (events.js:314:20)\n at addChunk (_stream_readable.js:297:12)\n at readableAddChunk (_stream_readable.js:272:9)\n at Socket.Readable.push (_stream_readable.js:213:10)\n at TCP.onStreamRead (internal/stream_base_commons.js:188:23)", Apr 16 15:53:25 tube-lokad peertube[2618]: "message": "no pg_hba.conf entry for host \"40.127.111.54\", user \"lokad\", database \"peertube\", SSL off", Apr 16 15:53:25 tube-lokad peertube[2618]: "length": 152, Apr 16 15:53:25 tube-lokad peertube[2618]: "name": "error", Apr 16 15:53:25 tube-lokad peertube[2618]: "severity": "FATAL", Apr 16 15:53:25 tube-lokad peertube[2618]: "code": "28000", Apr 16 15:53:25 tube-lokad peertube[2618]: "file": "auth.c", Apr 16 15:53:25 tube-lokad peertube[2618]: "line": "502", Apr 16 15:53:25 tube-lokad peertube[2618]: "routine": "ClientAuthentication" Apr 16 15:53:25 tube-lokad peertube[2618]: } Apr 16 15:53:25 tube-lokad peertube[2618]: } Apr 16 15:53:25 tube-lokad peertube[2618]: } Apr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! code ELIFECYCLE Apr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! errno 255 Apr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! peertube@3.1.0 start:node dist/serverApr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! Exit status 255 Apr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! Apr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! Failed at the peertube@3.1.0 start script. Apr 16 15:53:25 tube-lokad peertube[2618]: npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

Chocobozzz · Avril 19, 2021, 7:26

Hi,

Edit directly peertube-latest/dist/server/initializers/database.js to have something like:

let dialectOptions = {};
if (config_1.CONFIG.DATABASE.SSL) {
    dialectOptions = {
        ssl: {
            rejectUnauthorized: false
        }
    };
}
const sequelizeTypescript = new sequelize_typescript_1.Sequelize({
    database: dbname,
    dialect: 'postgres',
    dialectOptions,
    host,
    port,
    username,
    password,
    pool: {
        max: poolMax
    },
    benchmark: core_utils_1.isTestInstance(),
    isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.SERIALIZABLE,
    logging: (message, benchmark) => {
        if (process.env.NODE_DB_LOG === 'false')
            return;
        let newMessage = 'Executed SQL request';
        if (core_utils_1.isTestInstance() === true && benchmark !== undefined) {
            newMessage += ' in ' + benchmark + 'ms';
        }
        logger_1.logger.debug(newMessage, { sql: message });
    }
});

Add dialectOptions + the if (config_1.CONFIG.DATABASE.SSL) {
Remove ssl option from new sequelize_typescript_1.Sequelize({
Add dialectOptions in new sequelize_typescript_1.Sequelize({ options

vermorel · Avril 19, 2021, 5:09

Thanks a lot! This seems to be working, also in the end, I did opt for a unencrypted PSQL connection with strong IP restriction on the DB side. It’s probably safer to keep the upgrade path as clean as possible for the PeerTube instance itself.

Best regards,
Joannes Vermorel

JohnLivingston · Avril 19, 2021, 6:38

But that means that data are unencrypted on the network? Do you trust the network?
A malicious person could read or modify data.

If you don’t want to fix Peertube, you could at least use ssh tunelling to transmit data.

vermorel · Avril 19, 2021, 6:44

The network is trusted. Thanks!