pgadmin 8.13 does not accept AWS DB SSL certificate anymore with verify-full - SSL ERROR

[nigzak]

Describe the bug

after updating to 8.13 connection to database with SSL verify full on AWS postgresql is not possible anymore

downgrade to 8.12 again brought it back to work so it is some change in 8.13 which kills it

To Reproduce

Steps to reproduce the behavior:
create AWS DB with SSL ON
download SSL certificate https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
=> Any commercial AWS Region file .p7b
convert to .cer via openssl pkcs7 -print_certs -in global-bundle.p7b -out global-bundle.cer
open pgadmin, use this certificate as root-ca and SSL = verify_full

Expected behavior

connection works as before

Error message

refer image up => SSL ERROR

Screenshots

refer up for screenshot

Desktop (please complete the following information):

• Docker version 8.13 from dockerhub on dpage/pgadmin4

Additional context

may pgadmin does not trust the certificate chain - what was no issue in the past.
If the update requires now to support full chain it may be VERY VERY helpful to have a short docu how to add without getting into this problem - or to have an option to turn chain-checking for this thing off - mostly the chain will not really validate-able (?)

Also I DONT WANT to disable SSL on the connection, this means the connection between pgadmin pod and database would be not SSL and be "readable" ... disable this in the connector does not really make sense to me

HINT: also checked the changelog, to me there seems no SSL change planned (?)
https://www.pgadmin.org/docs/pgadmin4/development/release_notes_8_13.html

[yogeshmahajan-1903]

@nigzak
Can you please share the screenshot for server properties > parameters? Are you passing value/file for root certificate parameter? If yes, does the root certificate exist?
Can you please check whether root certifcate exists at ~/.postgresql location?

[nigzak]

here the connection parameter (currently connected via version 8.12 - 8.13 does not work like this)

also the storage manager - file is there

HINT: this two lines with crt/pem client certificate were not added by me, that is from the original setup where also pgadmin had a separate page for SSL configurations - all appeared on the migration and I did not touch it

As written - it currently works with 8.12 without any issue, updating to 8.13 kills it - downgrade makes it work again. I don't think it is because of missing files from my side - then it should also not work with 8.12 or? The config is on an EFS persistent filesystem attached

I am also sorry for your question about the .postgresql file - I am using the docker image plain from dockerhub and add only configurations like OAUTH - I am not touching any file inside - so it is exactly the image you can also see in dockerhub. If you let me know what you especially want and how to get I can also check?

for your reference the deployment yaml (its a template with placeholder)

apiVersion: apps/v1
kind: StatefulSet
metadata:
 name: pgadmin
spec:
 serviceName: pgadmin-service
 podManagementPolicy: Parallel
 replicas: 1
 updateStrategy:
   type: RollingUpdate
 selector:
   matchLabels:
     app: pgadmin
 template:
   metadata:
     labels:
       app: pgadmin
   spec:
     terminationGracePeriodSeconds: 10
     containers:
       - name: pgadmin
         image: {{IMAGE_PLACEHOLDER_TEMPLATE}}
         imagePullPolicy: Always 
         env:
         - name: PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION
           valueFrom:
             configMapKeyRef:
               name: pgadmin-config
               key: ENHANCED_COOKIE_PROTECTION
         - name: PGADMIN_DEFAULT_EMAIL
           valueFrom:
             secretKeyRef:
               name: pgadminadmin
               key: pgadmin-user
         - name: PGADMIN_DEFAULT_PASSWORD
           valueFrom:
             secretKeyRef:
               name: pgadminadmin
               key: pgadmin-password
         - name: PGADMIN_CONFIG_AUTHENTICATION_SOURCES
           valueFrom:
             configMapKeyRef:
               name: pgadmin-config
               key: AUTHENTICATION_SOURCES
         - name: PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER
           valueFrom:
             configMapKeyRef:
               name: pgadmin-config
               key: OAUTH2_AUTO_CREATE_USER
         - name: PGADMIN_CONFIG_OAUTH2_CONFIG
           valueFrom:
             secretKeyRef:
               name: pgadminauth
               key: provider
         ports:
         - name: http
           containerPort: 80
           protocol: TCP
         volumeMounts:
         - name: pgadmin-config
           mountPath: /pgadmin4/servers.json
           subPath: servers.json
           readOnly: true
         - name: pgadmin-data
           mountPath: /var/lib/pgadmin          
     volumes:
     - name: pgadmin-config
       configMap:
         name: pgadmin-config
     - name: pgadmin-data
       persistentVolumeClaim:
         claimName: efs-pgadmin-claim

apiVersion: v1
kind: ConfigMap
metadata:
 name: pgadmin-config
data:
 servers.json: |
   {
       "Servers": {
         "1": {
           "Name": "XXX",
           "Group": "Servers",
           "Port": REMOVED,
           "Username": "REMOVED",
           "Host": "{{DBHOST}}",
           "SSLMode": "verify-full",
           "MaintenanceDB": "postgres"
         }
       }
   }
 AUTHENTICATION_SOURCES: |
   ['oauth2']
 OAUTH2_AUTO_CREATE_USER: |
   False
 ENHANCED_COOKIE_PROTECTION: |
   False

[anilsahoo20]

Tested and verified on snapshot build: https://www.postgresql.org/ftp/pgadmin/pgadmin4/snapshots/2024-12-06/
Package: pip wheel
Environment: macOs Sonoma 14.7.1