Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync service 12.0.1 fails to connect to the database with {:case_clause, :undefined} error #1395

Closed
alco opened this issue Jun 21, 2024 · 2 comments · Fixed by #1396
Closed

Sync service 12.0.1 fails to connect to the database with {:case_clause, :undefined} error #1395

alco opened this issue Jun 21, 2024 · 2 comments · Fixed by #1396
Assignees
@alco

Comments

@alco
Copy link
Member

alco commented Jun 21, 2024

Full server log when trying to run electricsql/electric:0.12.1 on DO with DO's managed Postgres:

[2024-06-20 14:37:24] 14:37:24.179 pid=<0.3055.0> [info] Starting ElectricSQL 0.12.1 in direct_writes mode.
[2024-06-20 14:37:24] 14:37:24.193 pid=<0.3056.0> [info] Running Electric.Plug.Router with Bandit 1.5.3 at :::5133 (http)
[2024-06-20 14:37:24] ▓ ┌────────────────────────┐
[2024-06-20 14:37:24] ▓ │  INITIALISATION ERROR  │
[2024-06-20 14:37:24] ▓ ┕━━━━━━━━━━━━━━━━━━━━━━━━┙
[2024-06-20 14:37:24] ▓ 
[2024-06-20 14:37:24] ▓ Failed to start child Electric.Replication.PostgresConnectorMng:
[2024-06-20 14:37:24] ▓   {{:case_clause, :undefined}, [{Electric.Replication.PostgresConnectorMng, :get_verify_peer_opts, 0, [file: ~c"lib/electric/replication/postgres_manager.ex", line: 358]}, {Electric.Replication.PostgresConnectorMng, :maybe_verify_peer, 1, [file: ~c"lib/electric/replication/postgres_manager.ex", line: 350]}, {Keyword, :update!, 4, [file: ~c"lib/keyword.ex", line: 1144]}, {Keyword, :update!, 4, [file: ~c"lib/keyword.ex", line: 1148]}, {Electric.Replication.PostgresConnectorMng, :update_connector_config, 2, [file: ~c"lib/electric/replication/postgres_manager.ex", line: 119]}, {Electric.Replication.PostgresConnectorMng, :init, 1, [file: ~c"lib/electric/replication/postgres_manager.ex", line: 94]}, {:gen_server, :init_it, 2, [file: ~c"gen_server.erl", line: 2057]}, {:gen_server, :init_it, 6, [file: ~c"gen_server.erl", line: 2012]}]}
[2024-06-20 14:37:24] ▓ 
[2024-06-20 14:37:24] ▓ Please file a new issue on GitHub[1], including the contents of this error.
[2024-06-20 14:37:24] ▓ 
[2024-06-20 14:37:24] ▓ [1]: https://github.com/electric-sql/electric/issues
[2024-06-20 14:37:24] 
[2024-06-20 14:37:24] ••• Shutting down •••
[2024-06-20 14:37:24] 
[2024-06-20 14:37:24] [os_mon] memory supervisor port (memsup): Erlang has closed
[2024-06-20 14:37:24] [os_mon] cpu supervisor port (cpu_sup): Erlang has closed
@linear Linear
Copy link

linear bot commented Jun 21, 2024

VAX-1987 Sync service 12.0.1 fails to connect to the database with {:case_clause, :undefined} error

@alco alco self-assigned this Jun 21, 2024
@alco alco added the bug label Jun 21, 2024
@alco
Copy link
Member Author

alco commented Jun 21, 2024

This is caused by an issue in Erlang. It was introduced in OTP 26.2. Electric's sync service had been using OTP 25.x up until version 0.12.1 in which we upgrade to OTP 27.0.

alco added a commit that referenced this issue Jun 21, 2024
@alco
fix(electric): Handle :undefined returned from :public_key.cacerts_lo…
423565e 
…ad()

Fix #1395.
@alco alco mentioned this issue Jun 21, 2024
Merged
alco added a commit that referenced this issue Jun 21, 2024
@alco
fix(electric): Use verify_none for SSL connections
568ad95 
Since OTP 26, the default for SSL connections has changed from
verify_none to verify_peer. We cannot use the latter because in practice
some popular hosts appear to have certificate chain problems.

Not that connecting with psql using sslmode=require is equivalent to
using verify_none with Erlang SSL.

Fix #1395.
alco added a commit that referenced this issue Jun 24, 2024
@alco
fix(electric): Update SSL logic after upgrading to OTP 27.0 (#1396)
6002f07 
When we upgraded the sync service to OTP 27.0, we missed the changed
default from `verify_none` to `verify_peer` in SSL connections.

We now explicitly set `verify` to `verify_none` because it's currently
the only way to ensure encrypted connections work even when a faulty
certificate chain is presented by the PG host. This behaviour matches
that of `psql <DATABASE_URL>?sslmode=require`.

Here's an example of connecting to DigitalOcean's Managed PostgreSQL to
illustrate the point:
```
$ psql 'postgresql://...?sslmode=require'
Null display is "∅".
Output format is aligned.
Expanded display is used automatically.
Line style is unicode.
Border style is 1.
psql (16.1, server 16.3)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

[db-postgresql-do-user-13160360-0] doadmin:defaultdb=> \q
```
```
$ psql 'postgresql://...?sslmode=verify-full'
psql: error: connection to server at "***.db.ondigitalocean.com" (167.99.250.38), port 25060 failed: root certificate file "/home/alco/.postgresql/root.crt" does not exist
Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.

$ psql 'sslrootcert=system sslmode=verify-full host=***.db.ondigitalocean.com ...'
psql: error: connection to server at "***.db.ondigitalocean.com" (167.99.250.38), port 25060 failed: SSL error: certificate verify failed
```

```
$ openssl s_client -starttls postgres -showcerts -connect ***.db.ondigitalocean.com:25060 -CApath /etc/ssl/certs/
[...]
SSL handshake has read 3990 bytes and written 885 bytes
Verification error: self-signed certificate in certificate chain
```
Fix #1395.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alco alco

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(electric): Update SSL logic after upgrading to OTP 27.0 electric-sql/electric
1 participant
@alco