Home Postgresql : SSL certificate error unable to get local issuer certificate
Reply: 1

Postgresql : SSL certificate error unable to get local issuer certificate

Ankit Agrawal
Ankit Agrawal Published in 2017-09-13 18:07:11Z

In PostgreSQL, whenever I execute an API URL with secure connection with query like below

select * 
from http_get('https://url......');

I get an error

SSL certificate problem: unable to get local issuer certificate

For this I have already placed a SSL folder in my azure database installation file at following path

C:\Program Files\PostgreSQL\9.6\ssl\certs

What should I do to get rid of this? Is there any SSL extension available, or do I require configuration changes or any other effort?

Please let me know the possible solutions for it.

user2458080 Reply to 2017-09-13 19:56:17Z

A few questions...

First, are you using this contrib module: https://github.com/pramsey/pgsql-http ?

Is the server that serves https://url....... using a self-signed (or invalid) certificate?

If the answer to those two questions is "yes" then you may not be able to use that contrib module without some modification. I'm not sure how limited your access is to PostgreSQL in Azure, but if you can install your own C-based contrib modules there is some hope...

pgsql-http only exposes certain CURLOPTs (see: https://github.com/pramsey/pgsql-http#curl-options) values which are settable with http_set_curlopt()

For endpoints using self-signed certificates, I expect the CURLOPT you'll want to include support for to ignore SSL errors is CURLOPT_SSL_VERIFYPEER

If there are other issues like SSL/TLS protocol or cipher mismatches, there are other CURLOPTs that can be patched-in, but those also are not available without customization of the contrib module.

I don't think anything in your

C:\Program Files\PostgreSQL\9.6\ssl\certs

folder has any effect on the http_get() functionality.

If you don't want to get your hands dirty compiling and installing custom contrib modules, you can create an issue on the github page of the maintainer and see if it gets picked up.

You might also take a peek at https://github.com/pramsey/pgsql-http#why-this-is-a-bad-idea because the author of the module makes several very good points to consider.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.308807 second(s) , Gzip On .

© 2016 Powered by cudou.com design MATCHINFO