1

I use planetscale serverless database server right now

and my main web server is built by Cloud Run

https://planetscale.com/docs/concepts/secure-connections

They are forcing ssl/tls unconditionally. Now, my cloud run uses https. I have also registered a domain. Can I still use the planet scale server?

They tell me to type mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/ssl/certs/ca-certificates.crt on Linux.

However, it is impossible to connect via ssh to cloud run. Are the two products incompatible? No workround?

I am very weak with this kind of network infrastructure, I am writing only code and I really need help.

Error: Error in connector: Error querying the database: Error querying the database: Error querying the database: Server error: `ERROR HY000 (1105): unknown error: Code: UNAVAILABLE
server does not allow insecure connections, client must use SSL/TLS

---EDIT

My backend language is Node JS and it does stuff like below

.ENV file

DATABASE_URL='mysql://xxxxxx:*****@aws-eu-west-1.connect.psdb.cloud/dbName?ssl={"rejectUnauthorized":true}'

PRISMA

datasource db {
  provider = "mysql"
  url = env("DATABASE_URL")
  referentialIntegrity = "prisma"
}


await prisma.post.findMany({
            take: 20,
            skip: 0,
            orderBy: { //...do query

And it works completely fine at localhost:8080 only after uploading to Cloud Run, it gets problem

dontknowhy
  • 2,480
  • 2
  • 23
  • 67
  • How are you trying to connect to the database from Cloud Run? It would be benefitial knowing which language is your server built with, and the command that is attempting to connect to the db. – bhito Oct 26 '22 at 08:14
  • Cloud Run does not support SSH connections to the service. However, that is not related to your issue with SSL client connections to PlanetScale. Edit your question and include the client connection code and client certificate configuration to PlanetScale. – John Hanley Oct 26 '22 at 08:19
  • Your update does not show the usage of SSL client certificates. – John Hanley Oct 26 '22 at 08:32
  • @JohnHanley I thought Cloud Run automatically made SSL stuffs isn\'t it?? So my url is now https:// + mydomain I have https now but I am not sure how to extract real physical file from Cloud Run? – dontknowhy Oct 26 '22 at 09:05
  • The client (web browser) to service (Cloud Run) must be via HTTPS. That is not related to how your Cloud Run service connects to another service (PlanetScale). – John Hanley Oct 26 '22 at 09:14
  • @JohnHanley Please, Could you recommend me how to create the SSL client certificate file? – dontknowhy Oct 26 '22 at 09:21
  • @bhito answer will point you in the right direction. – John Hanley Oct 26 '22 at 09:22
  • The client certificate is downloaded from the server/service. You do not create it. That would be a security vulnerability if you could. – John Hanley Oct 26 '22 at 09:22
  • @JohnHanley downloaded from the server.. Whoo.. that is really difficult.. could you give me the reference url please? // Planetscale team saying me "use ca-certificates" is this possible in Cloud Run case – dontknowhy Oct 26 '22 at 09:28
  • @JohnHanley https://cloud.google.com/certificate-authority-service/docs/create-certificate does it work for my case?? can I use this? – dontknowhy Oct 26 '22 at 09:35
  • You are confusing services. Google does not issue SSL certificates for PlanetScale. – John Hanley Oct 26 '22 at 09:38
  • @JohnHanley https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless?hl=ko#ssl_certificate_resource this has nothing to do with this? this shows how to create SSL certificate – dontknowhy Oct 26 '22 at 09:46
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/249070/discussion-between-hoapol-and-john-hanley). – dontknowhy Oct 26 '22 at 12:24

1 Answers1

2

On your .env file you need to modify the db url to append the following:

&sslcert=/etc/ssl/certs/ca-certificates.crt

so it will look like:

DATABASE_URL='mysql://xxxxxx:*****@aws-eu-west-1.connect.psdb.cloud/dbName?ssl={"rejectUnauthorized":true}&sslcert=/etc/ssl/certs/ca-certificates.crt'

But as you're running your code in Cloud Run, in order for this to work, when you build your Docker image, you need to make sure that the certificate is mounted to /etc/ssl/certs or whatever path you want to use.

bhito
  • 2,083
  • 7
  • 13
  • In my case, google cloud run automatically created an ssl certificate. In this case, what should I do to receive this file? (When I registered the domain to Cloud Run, there was also a job to link SSL in the middle) I don't know what to do to download it again as a file. – dontknowhy Oct 26 '22 at 09:00