Provide SSL certificate to PostgreSQL in a Rails app - ruby-on-rails

I have a Rails app on Elastic Beanstalk using an Amazon RDS PostgreSQL instance.
I'd like pg to use SSL to connect to this DB.
Following http://docs.aws.amazon.com/AmazonRDS/[...], I saved rds-combined-ca-bundle.pem at /config/ca/rds.pem and my database.yml looks like this:
production:
adapter: postgresql
database: <%= ENV['DB_NAME'] %>
username: <%= ENV['DB_USERNAME'] %>
password: <%= ENV['DB_PASSWORD'] %>
host: <%= ENV['DB_ADDRESS'] %>
port: <%= ENV['DB_PORT'] %>
sslmode: 'require'
sslrootcert: 'config/ca/rds.pem'
But I have no idea if it's really using SSL: I can change sslrootcert path to anything, and my app is still up. What am I missing?

In your database.yml you have to use sslmode: 'verify-full' instead of sslmode: 'require' in order to verify the instance endpoint against the endpoint in the SSL certificate. This way the certificate is used.

Related

Why do I get this error "bad URI(is not URI?)" in puma.stderr.log on my ec2 machine

When start puma on my ec2 machine, I get this error: bad URI(is not URI?): <%= ENV['DATABASE_URL'] %> (URI::InvalidURIError) because of the database.yml I don't know why when I replace the embedded ruby code of the url with the real url the app works fine.
My database.yml:
default: &default
adapter: postgresql
encoding: unicode
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
port: 5432
development:
<<: *default
database: <%= ENV['DATABASE_NAME'] %>
username: <%= ENV['DATABASE_USERNAME'] %>
password: <%= ENV['DATABASE_PASSWORD'] %>
production:
<<: *default
url: <%= ENV['DATABASE_URL'] %>
I use dotenv gem and I load the environment variables from another file out of my project directory.
Also, know that when I open the rails console on my ec2 machine I can connect to the database without any problem.
Can anyone help me with this problem?
I have find the answer in another stackoverflow question. Tproblem was that the database.yml was not accepting erb. So, I tried to do like the answer of the previous question and it worked fine

Rails 5.2 credentials:edit doesn't like secret_key_base

I've been trying to debug my credentials file in my staging server. Whenever I try to edit the credentials on my staging server, I get the following error:
/var/www/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/application.rb:583:in `validate_secret_key_base': `secret_key_base` for staging environment must be a type of String`
My database.yml file looks like the following:
---
default: &default
adapter: postgresql
development:
<<: *default
database: dev_db
host: <%= Rails.application.credentials.database.fetch(:development).fetch(:host) %>
username: <%= Rails.application.credentials.database.fetch(:development).fetch(:username) %>
password: <%= Rails.application.credentials.database.fetch(:development).fetch(:password) %>
secret_key_base: <%= Rails.application.credentials.secret_key_base.fetch(:development) %>
test:
<<: *default
database: test_db
host: <%= Rails.application.credentials.database.fetch(:development).fetch(:host) %>
username: <%= Rails.application.credentials.database.fetch(:development).fetch(:username) %>
password: <%= Rails.application.credentials.database.fetch(:development).fetch(:password) %>
secret_key_base: <%= Rails.application.credentials.secret_key_base.fetch(:development) %>
staging:
<<: *default
database: <%= Rails.application.credentials.database.fetch(:staging).fetch(:name) %>
host: <%= Rails.application.credentials.database.fetch(:staging).fetch(:host) %>
username: <%= Rails.application.credentials.database.fetch(:staging).fetch(:username) %>
password: <%= Rails.application.credentials.database.fetch(:staging).fetch(:password) %>
secret_key_base: <%= Rails.application.credentials.secret_key_base.fetch(:staging) %>
production:
<<: *default
database: <%= Rails.application.credentials.database.fetch(:production).fetch(:name) %>
host: <%= Rails.application.credentials.database.fetch(:production).fetch(:host) %>
username: <%= Rails.application.credentials.database.fetch(:production).fetch(:username) %>
password: <%= Rails.application.credentials.database.fetch(:production).fetch(:password) %>
secret_key_base: <%= Rails.application.credentials.secret_key_base.fetch(:production) %>
I think my staging's secret_key_base is of type String. I generated my secret_key_base using rails secret. Locally, when I bring up the rails console, I can view the secret_key_bases for my staging environment:
[1] pry(main)> Rails.application.credentials.secret_key_base.fetch(:staging)
\=> "generated_using_rails_secret"
It returns a string but I still get the error message above whenever I try to access credentials in my staging environment.
I ended up looking at the stack trace and digging into the railties-5.2.0 gem.
Abbreviated stack trace:
ArgumentError: `secret_key_base` for staging environment must be a type of String`
/var/www/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/application.rb:583:in `validate_secret_key_base'
/var/www/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/application.rb:432:in `secret_key_base'
/var/www/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/application.rb:176:in `key_generator'
/var/www/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/application.rb:205:in `message_verifier'
I ended up looking in railties-5.2.0/lib/rails/application.rb:432: and seeing the following bit of code:
# The secret_key_base is used as the input secret to the application's key generator, which in turn
# is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.
#
# In test and development, this is simply derived as a MD5 hash of the application's name.
#
# In all other environments, we look for it first in ENV["SECRET_KEY_BASE"],
# then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications,
# the correct place to store it is in the encrypted credentials file.
def secret_key_base
if Rails.env.test? || Rails.env.development?
Digest::MD5.hexdigest self.class.name
else
validate_secret_key_base(
ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
)
end
end
I had mistakenly thought I could specify a SECRET_KEY_BASE for an individual environment. Instead, I could only specify one secret key base. The secret key base apparently has nothing to do with database.yml. I need to read up on it and what it actually does.
If you run rails credentials:edit from the command line it will decrypt the config/credentials.yml.enc file.
You can then edit this file to add environment based secret keys like you would have previously added to config/secrets.yml.
When you save this file it will be encrypted again with the new information included.
There is no reason to have the "secret_key_base" in your database.yml file as this will not have any impact.
Nice Article on the new Rails credentials
Additionally just because rails now longer generates a config/secrets.yml file for you, as of rails 5.2, adding one will still work appropriately as it has in previous releases.

Having a lot of trouble connecting to Cloud SQL Postgres in rails

I have configured by database.yml file according to this guide but it always comes back the error:
Error in Compute Engine
PG::ConnectionBad: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/cloudsql/[YOUR_INSTANCE_CONNECTION_NAME]/.s.PGSQL.5432"?
I have whitelisted the network of 0.0.0.0/0 and also tried this guide where you install the cloud sql proxy, but still no luck.
database.yml
production:
adapter: postgresql
encoding: unicode
pool: 5
timeout: 5000
database: databse-name
username: <%= ENV['DATABASE_USERNAME'] %>
password: <%= ENV['DATABASE_PASSWORD'] %>
database: <%= ENV['DATABASE'] %>
host: <%= ENV['DATABASE_HOST'] %>
sslca: config/ssl/server-ca.pem
sslcert: config/ssl/client-cert.pem
sslkey: config/ssl/client-key.pem

Can't connect to PostgreSQL with Rails and Capistrano

I'm trying to deploy my Rails 5 application using Postgres to a VPS via Capistrano. It keeps failing, though - giving me a PG::ConnectionBad: FATAL: password authentication failed for user 'sys_user'.
The relevant settings of my database.yml are:
production:
<<: *default
database: <%= ENV['RDS_DB_NAME'] %>
username: <%= ENV['RDS_USERNAME'] %>
password: <%= ENV['RDS_PASSWORD'] %>
host: <%= ENV['RDS_HOSTNAME'] %>
port: <%= ENV['RDS_PORT'] %>
All these environment variables have been set in /etc/environment - this is definitely the case because it's picking up the RDS_USERNAME as sys_user. The password of the database is the same as the variable RDS_PASSWORD. The port, hostname etc. are all the same also.
I'm stumped. Please help.
Where is the Postgres instance running? I'm guessing that you're trying to migrate an application from Elastic Beanstalk to a non-Amazon host. If that's the case, and your Postgres instance is not actually RDS, you might need to enable password authentication in your config file.
Documentation on Postgres configuration can be found here; I suspect you might need to change ident to md5.

Rails Deploy using Elastic Beanstalk - Can't convert array into string

I'm trying to perform a deploy a rails app on EC2 using ElasticBeanstalk, but I'm having some troubles. I was able to perform every step needed on my computer following Amazon's tutorial (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_Ruby_rails.html).
After deploying the app, I keep receiving this error passenger error on my server:
At first I tough this could be somewhat related to my config.yml file, so, here is how it is now:
production:
adapter: mysql2
encoding: utf8
database: <%= ENV['RDS_DB_NAME'] %>
username: <%= ENV['RDS_USERNAME'] %>
password: <%=['RDS_PASSWORD'] %>
host: <%= ENV['RDS_HOSTNAME']%>
port: <%= ENV['RDS_PORT'] %>
Any ideas on why could be happening?
Your password looks a lot like an array to me. I think you might want password: <%= ENV['RDS_PASSWORD'] %>

Resources