Error opening a TLS connection (unable to get local issuer certificate)
MyNameIsOka opened this issue · comments
Hi,
I followed the documentation and created a docker-compose file with env variables set for the database (Planetscale Tokyo region), prisma schema path, data proxy API key and port.
When running docker compose up, I get the following error:
...
prisma-data-proxy-alt-https-portal-1 | [cont-init.d] done.
prisma-data-proxy-alt-https-portal-1 | [services.d] starting services
prisma-data-proxy-alt-https-portal-1 | [services.d] done.
prisma-data-proxy-alt-data-proxy-1 | [3/4] Linking dependencies...
prisma-data-proxy-alt-data-proxy-1 | [4/4] Building fresh packages...
prisma-data-proxy-alt-data-proxy-1 | success Saved lockfile.
prisma-data-proxy-alt-data-proxy-1 | Done in 19.17s.
prisma-data-proxy-alt-data-proxy-1 | yarn run v1.22.19
prisma-data-proxy-alt-data-proxy-1 | $ /app/node_modules/.bin/pdp
prisma-data-proxy-alt-data-proxy-1 | prisma:info Starting a mysql pool with 9 connections.
prisma-data-proxy-alt-data-proxy-1 | 🔮 Alternative Prisma Data Proxy listening on port 3000
prisma-data-proxy-alt-data-proxy-1 | prisma:info Encountered error during initialization:
prisma-data-proxy-alt-data-proxy-1 | prisma:error
prisma-data-proxy-alt-data-proxy-1 | Error opening a TLS connection: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
prisma-data-proxy-alt-data-proxy-1 | /app/node_modules/@prisma/client/runtime/index.js:24071
prisma-data-proxy-alt-data-proxy-1 | const err = new PrismaClientInitializationError(json.message, this.clientVersion, json.error_code);
prisma-data-proxy-alt-data-proxy-1 | ^
prisma-data-proxy-alt-data-proxy-1 |
prisma-data-proxy-alt-data-proxy-1 | PrismaClientInitializationError: Error opening a TLS connection: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
prisma-data-proxy-alt-data-proxy-1 | at LineStream.<anonymous> (/app/node_modules/@prisma/client/runtime/index.js:24071:29)
prisma-data-proxy-alt-data-proxy-1 | at LineStream.emit (node:events:513:28)
prisma-data-proxy-alt-data-proxy-1 | at addChunk (node:internal/streams/readable:324:12)
prisma-data-proxy-alt-data-proxy-1 | at readableAddChunk (node:internal/streams/readable:297:9)
prisma-data-proxy-alt-data-proxy-1 | at Readable.push (node:internal/streams/readable:234:10)
prisma-data-proxy-alt-data-proxy-1 | at LineStream._pushBuffer (/app/node_modules/@prisma/client/runtime/index.js:20137:17)
prisma-data-proxy-alt-data-proxy-1 | at LineStream._transform (/app/node_modules/@prisma/client/runtime/index.js:20131:8)
prisma-data-proxy-alt-data-proxy-1 | at Transform._write (node:internal/streams/transform:175:8)
prisma-data-proxy-alt-data-proxy-1 | at writeOrBuffer (node:internal/streams/writable:392:12)
prisma-data-proxy-alt-data-proxy-1 | at _write (node:internal/streams/writable:333:10) {
prisma-data-proxy-alt-data-proxy-1 | clientVersion: '4.2.1',
prisma-data-proxy-alt-data-proxy-1 | errorCode: 'P1011'
prisma-data-proxy-alt-data-proxy-1 | }
prisma-data-proxy-alt-data-proxy-1 |
prisma-data-proxy-alt-data-proxy-1 | Node.js v18.7.0
prisma-data-proxy-alt-data-proxy-1 | error Command failed with exit code 1.
prisma-data-proxy-alt-data-proxy-1 | info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
prisma-data-proxy-alt-data-proxy-1 exited with code 1
Do you happen to know the reason for that error?
I don't really understand what is meant with (unable to get local issuer certificate). Should that be on my local machine, in Docker or is that something on the Planetscale side? How do I create that?
I am on Mac OS Monterey 12.5
I would appreciate your help a lot!
Regards,
Oka
Hey @MyNameIsOka, thanks for using this library.
The problem you are facing is not caused by this library. The cause is that you have not specified the path of the certificate in your Docker component.
There are two solutions.
- Specify
accept_invalid_certsforsslacceptin yourDATABSE_URLmysql://xxxxxx:zzzzz.psdb.cloud/database-name?sslaccept=accept_invalid_certs- However, this is not desirable in production.
- Specify relative path for certificates in
sslcertmysql://xxxxxx:zzzzz.psdb.cloud/database-name?sslaccept=strict&sslcert=<path to sslcert>- For more information, please click here.
Please check Prisma's documentation for these solutions.
https://www.prisma.io/docs/concepts/database-connectors/mysql
Thank you for your quick response!
Adding the certificate from my local Mac machine to the Docker container worked, but is that the correct way? Should I create new certificates and place them in the Docker container?
I think the quickest way is to install ca-certificates.
If you are on debian system, you can use apt-get update && apt-get install -y ca-certificates && update-ca-certificates. The certificate is this path /etc/ssl/certs/ca-certificates.crt
If you are alpine system, you can use apk update && apk add ca-certificates && update-ca-certificates. The certificate is this path /etc/ssl/cert.pem.
But I am not an expert in this sort of thing, so I don't know if this is best practice or not.
Thank you for your response.
I wonder why those steps are necessary only in my environment. Shouldn't this be available right from the Docker image?
If you have set up a container with bullseye-slim as per the REDME sample, it is quite natural. This is because the slim series is a lightweight image that bundles only the minimum number of packages.
Ah, I see! Would be good to have a note regarding the certificates in the Readme.
Btw, I successfully started Data Proxy locally in Docker but my local development server can't communicate with it.
I did the same steps as written in the documentation.
The error is:
[0] 18:41:18 E [api.service:REDACTED] fetch user accepted terms error {
[0] stack: [
[0] 'Error: ',
[0] 'Invalid `prisma.tbl_User.findUnique()` invocation:',
[0] '',
[0] '',
[0] ' Cannot fetch data from service:',
[0] 'fetch failed',
[0] ' at en.handleRequestError (REDACTED/build/index.js:15076:56)',
[0] ' at en.request (REDACTED/build/index.js:15065:16)',
[0] ' at processTicksAndRejections (node:internal/process/task_queues:96:5)',
[0] ' at t3._request (REDACTED/build/index.js:15565:20)',
[0] ' at ApiService.getAcceptedTerms (REDACTED/build/index.js:97413:22)',
[0] ' at loader9 (REDACTED/build/index.js:97500:25)',
[0] ' at callRouteLoader (REDACTED/build/index.js:16534:14)'
[0] ]
[0] }
I'd like to help you, but I can't figure out the cause with just this information. Could you share a repository that reproduces this error?
Sorry, it's a private repository which I am not allowed to share.
I tested it with a original connection string from Prisma Data Proxy and it worked there.
I wondered if there is something else like the certificates which I would need to setup?
Sorry for not being able to provide more information :(
And thank you for the support!
I have created a repository connecting planetscale and prisma-data-proxy-alt in a minimal configuration and the connection was resolved without problems. https://github.com/aiji42/pdp-planetscale-sample
Nothing is displayed because the data is empty on user table, but it seems to be requested correctly. ( NODE_TLS_REJECT_UNAUTHORIZED is set to 0 in order to use a self-certificate, so there is a warning but it does not affect the operation.)
EDIT: Now it's working with my original database, too... No clue, why. Thank you for your support!
TLDR: Creating a new database with the same schema of my current database worked and I got a response via your repo. No idea why, I will look into this now.
Thanks a lot for creating the test repo!
I cloned it, added my Planetscale connection string and my schema.prisma file.
Everything went fine until the database query. There, I got the following error:
So I thought that the error might be my schema.prisma file and I changed the db and client definition according to your example. When I did this, I got an error on prisma push:
I have the following definitions for db and client:
datasource db {
provider = "mysql"
url = env("DATABASE_URL")
referentialIntegrity = "prisma"
}
generator client {
provider = "prisma-client-js"
engineType = "binary"
binaryTargets = ["native", "rhel-openssl-1.0.x", "debian-openssl-1.1.x"]
previewFeatures = ["referentialIntegrity"]
}
// part of the database definitions with foreign key
model tbl_User {
id String @id
logs tbl_Log[]
}
model tbl_Log {
id Int @id @default(autoincrement())
type LogType
message String?
createdAt DateTime
user tbl_User @relation(fields: [userId], references: [id], onUpdate: NoAction)
userId String
@@index([userId])
}
enum LogType {
SUCCESS
FAILED
}
I then created a new database with the same prisma.schema file and did the steps again and then it worked... I have no clue why, but I will look into it.
I have confirmed that an error occurs when the model name starts with a lowercase letter. I will treat this as a bug and fix it on my end.
As a quick workaround, you can use @@map("real_table_name") to separate the model name from the table name, which will solve this problem.
(Don't forget to re-run prisma generate in the Docker component after the schema modification.)
model User {
id String @id
logs Log[]
@@map("tbl_User")
}
model Log {
id Int @id @default(autoincrement())
type LogType
message String?
createdAt DateTime
user User @relation(fields: [userId], references: [id], onUpdate: NoAction)
userId String
@@map("tbl_Log")
@@index([userId])
}
enum LogType {
SUCCESS
FAILED
}However, the problem with the error on db push is not reproduced by copying your schema. I suggest you contact Prisma or Planetscele for further assistance.
I will close this issue and I will open a new issue for the bug when the model starts with a lowercase letter.