Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails + PostgreSQL SSL decryption failure

Tags:

sql

ruby

postgresql

ruby-on-rails

I have an app running on my production server that uses the pg gem for talking to a Postgres database. Postgres is running on the default port, and is behind a firewall - so it's not accessible from anything but localhost. I haven't configured Postgres to do anything SSL-related.

I'm accessing the Rails app via SSL, and the certificate is signed for another domain, so the first time you hit it, a certificate error is presented...but that's the only thing SSL-related that's weird.

And yet, I'm seeing this intermittently in my Rails logs (accompanied by a 500 error in the browser when it happens):

Started GET "/admin/pages" for <xxx.xxx.xxx.xxx> at 2012-02-02 01:52:03 -0500
Processing by PagesController#index as HTML
Completed 500 Internal Server Error in 4ms

ActiveRecord::StatementInvalid (PGError: SSL error: decryption failed or bad 
record mac
: SELECT "pages".* FROM "pages" ):
  app/controllers/pages_controller.rb:36:in `index'

What the hell?

like image 318
codykrieger Avatar asked Feb 02 '12 07:02

codykrieger

2 Answers

If the database is running on localhost only, turn SSL off: it's not really useful to encrypt a local connection. Either set ssl=false in postgresql.conf (and restart the db server) or tell your client not to use SSL while connecting. Some installations configure PostgreSQL to use SSL by default.

like image 185
araqnid Avatar answered Nov 15 '22 19:11

araqnid

If you look at your PostgreSQL logs you should find the same error. You should note that by default, after installing postgresql you will have the following lines in your postgresql.conf:

ssl = true
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

Changing these requires you to restart postgresql, which may not be a good idea on your production system, since it will disrupt your service.

If you prefer to reload postgresql, you can make changes to the pg_hba.conf instead: by using the hostnossl directive.

Since you're using the pg gem, you can also force your app to connect without ssl, by adding this line to your config/database.yml:

sslmode = disable

In any case, you should probably adjust your postgresql configuration to use proper ssl certificates and not snakeoil, if you're ever going to need an encrypted connection to your database.

like image 45
pymkin Avatar answered Nov 15 '22 21:11

pymkin
Sign in to Comment

Related questions

Drop indexes or alter
MySql - Sequalize - Cannot add foreign key constraint
SQL query to select strings that contain a "Unit Separator" character
How to aggregate rows of jsonb elements in postgres?
SQL Server Round Robin Tournament
SQL - LEFT JOIN, but I want COUNT(*) to only count the results from the INNER part of the join
Do a DB2 insert with a select and parameters
sp_executesql causing my query to be very slow
SQL Server NULL constraint
Select per month
SQL And NULL Values in where clause
How to change user's default database using SQL for SQL Server 2000?
Find duplicates in SQL
Oracle: SELECT * FROM tablea a, tableb b WHERE a.fielda(+)=b.fieldb -- what is (+)?
T-SQL - Convert binary data to/from Base64 (or other string representation)
SQL Server: How to get current date time in YYYYMMDDHHMISSMSS
PL/SQL Developer: Multiple statements?
Reached MAX size for compiled-sql statement cache for database
SQL and logical operators and null checks
Only select first row of repeating value in a column in SQL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!