LB4 with Loopback-connector-postgresql@5.3.0 causing SSL Error

[KevinChengYang]

I kept getting the same error in LB4 even using the right syntax below and right version of loopback-connector-postgresql@5.3.0 after I deploy it to IBM Cloud Kubenetes, it runs without any issues on my local.

import {BootMixin} from '@loopback/boot';
import {ApplicationConfig} from '@loopback/core';
import {RepositoryMixin} from '@loopback/repository';
import {RestApplication} from '@loopback/rest';
import {
RestExplorerBindings,
RestExplorerComponent
} from '@loopback/rest-explorer';
import {ServiceMixin} from '@loopback/service-proxy';
import fs from 'fs';
import path from 'path';
import {ProductSelectionDataSource} from './datasources';
import {MySequence} from './sequence';
export {ApplicationConfig};

export class ProductSelectionApplication extends BootMixin(
ServiceMixin(RepositoryMixin(RestApplication)),
) {
constructor(options: ApplicationConfig = {}) {
super(options);

//process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
console.log("__dirname: " + __dirname);
console.log("*********************************************************************************");
const crtpath = path.join(__dirname, '../private/ca.crt');
console.log("crtpath:" + crtpath);
console.log("content of crt:  " + fs.readFileSync(crtpath).toString());

console.log("*********************************************************************************");
const keypath = path.join(__dirname, '../private/ca.key');
console.log("keypath:" + keypath);
console.log("content of key:  " + fs.readFileSync(keypath).toString());

console.log("*********************************************************************************");
var dbcert = process.env.DB_CERT;
let dbCert = Buffer.from(`{dbcert}`, 'base64');
console.log("content of dbcert: " + dbCert);

console.log("*********************************************************************************");

this.bind('datasources.config.productSelection').to({
  name: 'dbname',
  connector: 'postgresql',
  url: process.env.DB_CONNECTION_STRING,
  ssl: {
    ca: fs.readFileSync(crtpath).toString(),
    key: fs.readFileSync(keypath).toString(),
    cert: dbCert,
    rejectUnauthorized: false,
  },
});
this.bind('datasources.productSelection').toClass(ProductSelectionDataSource);

// Set up the custom sequence
this.sequence(MySequence);

// Set up default home page
this.static('/', path.join(__dirname, '../public'));

// Customize @loopback/rest-explorer configuration here
this.configure(RestExplorerBindings.COMPONENT).to({
  path: '/explorer',
});
this.component(RestExplorerComponent);

this.projectRoot = __dirname;
// Customize @loopback/boot Booter Conventions here
this.bootOptions = {
  controllers: {
    // Customize ControllerBooter Conventions here
    dirs: ['controllers'],
    extensions: ['.controller.js'],
    nested: true,
  },
};

}
}

The error I got:

Node ENV: dev
Server is running at http://127.0.0.1:3000
Try http://127.0.0.1:3000/ping
Connection fails: Error: self signed certificate in certificate chain
It will be retried for the next request.
_tls_wrap.js:1497

Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:932:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
at TLSWrap.callbackTrampoline (internal/async_hooks.js:131:14)

I tried to use old version of loopback-connector-postgresql@3.9.1 but it seems the latest version of LB4 doesn't like it. the LB4 version list below:
$ lb4 -v
@loopback/cli version: 2.20.0

@loopback/* dependencies:

• @loopback/authentication: ^7.1.0
• @loopback/boot: ^3.3.0
• @loopback/build: ^6.3.0
• @loopback/context: ^3.15.0
• @loopback/core: ^2.15.0
• @loopback/metadata: ^3.2.0
• @loopback/openapi-spec-builder: ^3.1.0
• @loopback/openapi-v3: ^5.2.0
• @loopback/repository-json-schema: ^3.3.0
• @loopback/repository: ^3.5.0
• @loopback/rest: ^9.2.0
• @loopback/testlab: ^3.3.0
• @loopback/docs: ^3.23.0
• @loopback/example-hello-world: ^2.2.0
• @loopback/example-log-extension: ^2.2.0
• @loopback/example-rpc-server: ^2.2.0
• @loopback/example-todo: ^3.10.0
• @loopback/example-soap-calculator: ^2.5.0
• @loopback/service-proxy: ^3.1.0
• @loopback/http-caching-proxy: ^2.2.0
• @loopback/http-server: ^2.4.0
• @loopback/example-todo-list: ^3.8.0
• @loopback/dist-util: ^0.4.0
• @loopback/rest-explorer: ^3.2.0
• @loopback/eslint-config: ^10.1.0
• @loopback/example-express-composition: ^2.6.0
• @loopback/example-greeter-extension: ^2.2.0
• @loopback/booter-lb3app: ^2.3.0
• @loopback/example-lb3-application: ^2.6.0
• @loopback/example-greeting-app: ^2.3.0
• @loopback/example-context: ^2.2.0
• @loopback/repository-tests: ^0.17.0
• @loopback/health: ^0.7.0
• @loopback/authorization: ^0.8.0
• @loopback/rest-crud: ^0.9.0
• @loopback/security: ^0.4.0
• @loopback/authentication-passport: ^3.1.0
• @loopback/example-metrics-prometheus: ^0.5.0
• @loopback/metrics: ^0.7.0
• @loopback/model-api-builder: ^2.2.0
• @loopback/logging: ^0.5.0
• @loopback/example-access-control-migration: ^2.4.0
• @loopback/example-file-transfer: ^1.6.0
• @loopback/example-rest-crud: ^1.8.0
• @loopback/apiconnect: ^0.6.0
• @loopback/example-validation-app: ^1.9.0
• @loopback/cron: ^0.4.0
• @loopback/example-multi-tenancy: ^0.8.0
• @loopback/example-passport-login: ^1.10.0
• @loopback/authentication-jwt: ^0.8.0
• @loopback/context-explorer: ^0.4.0
• @loopback/express: ^3.2.0
• @loopback/example-todo-jwt: ^1.5.0
• @loopback/mock-oauth2-provider: ^0.2.0
• @loopback/pooling: ^0.4.0
• @loopback/typeorm: ^0.3.0
• @loopback/example-graphql: ^0.2.0
• @loopback/graphql: ^0.3.0
• @loopback/filter: ^1.4.0
• @loopback/rest-msgpack: ^0.4.0
• @loopback/example-binding-resolution: ^0.2.0
• @loopback/example-webpack: ^0.3.0
• @loopback/example-socketio: ^0.2.0
• @loopback/socketio: ^0.2.0
• @loopback/monorepo: ^0.2.0
• @loopback/tsdocs: ^2.5.0

Please advise and thank you so much.

[dhmlau]

Cross posting the answer from @raymondfeng on Slack: https://loopbackio.slack.com/archives/C01177XQN8N/p1617727228152000.

For TLS self-signed, there should be a connector setting that you can set to skip that
Check the pg npm package to find out what option to set
We pass connector settings to the underlying driver

[dhmlau]

@KevinChengYang, are you good with closing this issue? Thanks.

[KevinChengYang]

Hi Diana,

Disable TLS warning will compromise the security of this service, I can do that for dev environment, but it's absolutely not acceptable for Production environment.

(node:1) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

This defect need to be fixed as soon as possible.

Thank you.

[kwokgordon]

Hi Diana,

I am experiencing the same issue as Kevin. Do you have an ETA when this issue will be fixed?

Thank you.