database - QuestDB Enterprise and CA Roots

We are trying to connect to QuestDB via HTTPS ILP and the certificate is not accepted.

I have investigated it a bit and the problem seems to be the following: questdb-rs crate depends on ureq for HTTP/HTTPS and ureq is using webpki-root , which in turn contains a hard-coded set of CA roots.

In principle, it is possible to pass a feature tag to ureq called native-certs which should make it use CA roots provided with the OS. However, even if I set tls-native-certs feature on questdb-rs crate, it does not enable native certificates.

As a result, we cannot use HTTPS ILP with QuestDB Enterprise using our own CA.

The same problem likely exist if we try to use HTTPS ILP via python API as, as far as I remember, it is built on top of questdb-rs.

What would you recommend?

We are trying to connect to QuestDB via HTTPS ILP and the certificate is not accepted.

As a result, we cannot use HTTPS ILP with QuestDB Enterprise using our own CA.

The same problem likely exist if we try to use HTTPS ILP via python API as, as far as I remember, it is built on top of questdb-rs.

What would you recommend?

Share Improve this question asked Jan 29 at 18:45 Javier Ramirez 4,0951 gold badge27 silver badges36 bronze badges

Add a comment |

1 Answer 1

Sorted by: Reset to default 0

You might be tempted to disable verification by passing ;tls_verify=unsafe_off on the connection string, but of course that's a very bad idea and would only recommend it for testing on a development environment with a self-signed certificate.

What we can do instead is using the tls_ca parameter, which has multiple values. If we want to accept both the webpki-root plus whatever we have on the OS, we can just pass tls_ca=webpki_and_os_roots and it will work.

In the docs there are also options to support only either of the CA roots, or even to point to a PEM file.

科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

database - QuestDB Enterprise and CA Roots - Stack Overflow

1 Answer 1

与本文相关的文章

评论列表(0)