S
Supabase2w ago
Wookiee

Shared Pooler certificate expired?

I submitted a support ticket, but response time here might be better. I'm getting timeouts when connecting to the shared pooler (unfortunately I'm still on Vercel which doesn't support IPv6). The logs in SB show that there's a certificate that's expired, but I'm versed enough on this setup to know if this is a client error, or if it is an Supabase side issue. 
"DbHandler: Handshake error {:tls_alert, {:certificate_expired, 'TLS client: In state wait_cert at ssl_handshake.erl:2094 generated CLIENT ALERT: Fatal - Certificate Expired\\n'}}"
"DbHandler: Handshake error {:tls_alert, {:certificate_expired, 'TLS client: In state wait_cert at ssl_handshake.erl:2094 generated CLIENT ALERT: Fatal - Certificate Expired\\n'}}"
10 Replies
silentworks
silentworks2w ago
How are you connecting to the database? please show some code here (without your db credentials that is).
Wookiee
WookieeOP2w ago
Thanks for checking in on this. This has been working for a long time now with no changes. Here's the db initialization code: PRIVATE_SUPABASE_DSN is postgresql://postgres.[project_id]:[password]@aws-0-us-west-1.pooler.supabase.com:6543/postgres 
import { PRIVATE_SUPABASE_DSN } from "$env/static/private"
import { PUBLIC_ENVIRONMENT } from "$env/static/public"
import type { DateTime } from "luxon"
import postgres from "postgres"

let debug: boolean | ((connection: number, query: string, parameters: any[], paramTypes: any[]) => void) = false
if (PUBLIC_ENVIRONMENT === "development") {
  debug = (_connection: number, query: string, params: any[], _types: any[]) => {
    if (query.includes("b.oid")) return // internal query from the library to get the types
    const truncatedParams = params.map((p) => {
      if (typeof p === "boolean") return p.toString().toUpperCase()
      if (Array.isArray(p)) return p.map((el) => `'${el}'`).join(",")
      if (typeof p !== "string") return p
      if (p.length < 100) return `'${p}'`
      return `'${p.slice(0, 8)}...${p.slice(-8)}'`
    })
    let replacedQuery = query
      .trim()
      .replace(/\$\d+/g, (m) => truncatedParams[Number(m.slice(1)) - 1])
    if (!replacedQuery.endsWith(";")) replacedQuery += ";"
    replacedQuery = replacedQuery.replace(/^\s*\n/gm, "")
    console.log("[QUERY] ", replacedQuery)
  }
}

const sql = postgres(PRIVATE_SUPABASE_DSN, {
  prepare: false,
  fetch_types: false,
  debug
})

export default sql
import { PRIVATE_SUPABASE_DSN } from "$env/static/private"
import { PUBLIC_ENVIRONMENT } from "$env/static/public"
import type { DateTime } from "luxon"
import postgres from "postgres"

let debug: boolean | ((connection: number, query: string, parameters: any[], paramTypes: any[]) => void) = false
if (PUBLIC_ENVIRONMENT === "development") {
  debug = (_connection: number, query: string, params: any[], _types: any[]) => {
    if (query.includes("b.oid")) return // internal query from the library to get the types
    const truncatedParams = params.map((p) => {
      if (typeof p === "boolean") return p.toString().toUpperCase()
      if (Array.isArray(p)) return p.map((el) => `'${el}'`).join(",")
      if (typeof p !== "string") return p
      if (p.length < 100) return `'${p}'`
      return `'${p.slice(0, 8)}...${p.slice(-8)}'`
    })
    let replacedQuery = query
      .trim()
      .replace(/\$\d+/g, (m) => truncatedParams[Number(m.slice(1)) - 1])
    if (!replacedQuery.endsWith(";")) replacedQuery += ";"
    replacedQuery = replacedQuery.replace(/^\s*\n/gm, "")
    console.log("[QUERY] ", replacedQuery)
  }
}

const sql = postgres(PRIVATE_SUPABASE_DSN, {
  prepare: false,
  fetch_types: false,
  debug
})

export default sql
silentworks
silentworks2w ago
It could be that your postgres library you are importing version has updated and have a breaking change in it. I would lock the postgres version down. We haven't had anyone else report of certificate expired today. The last person who reported this was in July and I can't see any update from that user nor did they get any help it seems. You are using the wrong port if you are using Vercel, you should be using port 5432 and not 6543.
Wookiee
WookieeOP2w ago
You are correct on that port error. I wonder how that has only recently started failing. I wonder if I was hitting a bug that was just recently closed. Changed the port and still the same error. My copy/paste above is missing the sslmode=require on the DSN. I’ll have to try disabling that next (currently AFK) Did a little more testing and digging. Changing my DSN to not use SSL doesn't help anything. Digging a bit it seems like this error is between the connection pooler and the database. I'm still on a PG 15 instance, if that helps in talking with the infra team.
silentworks
silentworks2w ago
This is a user helping user platform and not regularly monitored by the Supabase staff.
Wookiee
WookieeOP2w ago
Ah, I saw the SUPA badge next to your name and made an assumption.
silentworks
silentworks2w ago
Oh that's just a discord server tag that anyone on this server can add to their name
Wookiee
WookieeOP2w ago
Ha. None the less, I appreciate the help. It is definitely a Cert issue on their end. I finally remembered that I can determine wether to enforce SSL for the DB via the supabase admin and if I toggle that OFF then my connections are OK. So, either Supa or Vercel needs to update a cert package.
silentworks
silentworks2w ago
If you think it's a Supabase issue then you should open a support ticket https://supabase.com/dashboard/support/new
Wookiee
WookieeOP2w ago
Already have. This was my 2nd avenue of support.

Did you find this page helpful?