10

I have an app running on my production server that uses the pg gem for talking to a Postgres database. Postgres is running on the default port, and is behind a firewall - so it's not accessible from anything but localhost. I haven't configured Postgres to do anything SSL-related.

I'm accessing the Rails app via SSL, and the certificate is signed for another domain, so the first time you hit it, a certificate error is presented...but that's the only thing SSL-related that's weird.

And yet, I'm seeing this intermittently in my Rails logs (accompanied by a 500 error in the browser when it happens):

Started GET "/admin/pages" for <xxx.xxx.xxx.xxx> at 2012-02-02 01:52:03 -0500
Processing by PagesController#index as HTML
Completed 500 Internal Server Error in 4ms

ActiveRecord::StatementInvalid (PGError: SSL error: decryption failed or bad 
record mac
: SELECT "pages".* FROM "pages" ):
  app/controllers/pages_controller.rb:36:in `index'

What the hell?

Improve this question

2 Answers 2

Reset to default
12

If the database is running on localhost only, turn SSL off: it's not really useful to encrypt a local connection. Either set ssl=false in postgresql.conf (and restart the db server) or tell your client not to use SSL while connecting. Some installations configure PostgreSQL to use SSL by default.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

For the record: i tried fixing this by turning off SSL renegotiation as proposed in other threads, but finally only turning off SSL as stated by araqnid worked for me. Bummer because i wanted to use the database server for remote serving as well :( Let's hope for a patch or an update that fixes this soon.
@JeroenDierckx: you can use "hostnossl" and "hostssl" in the pg_hba.conf file to enable/disable SSL based on IP range, so that your local clients don't use SSL but your remote clients do.
@araqnid Thanks for the tip, very useful! But i expect that the SSL reneg bug will still rear its head when connecting from a remote machine.
That's ok if in localhost. But how can I solve if I'm not on lacolhost and I haven't control on the Database server?
Thanks! ssl=false in postgresql.conf works well.
2

If you look at your PostgreSQL logs you should find the same error. You should note that by default, after installing postgresql you will have the following lines in your postgresql.conf:

ssl = true
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

Changing these requires you to restart postgresql, which may not be a good idea on your production system, since it will disrupt your service.

If you prefer to reload postgresql, you can make changes to the pg_hba.conf instead: by using the hostnossl directive.

Since you're using the pg gem, you can also force your app to connect without ssl, by adding this line to your config/database.yml:

sslmode = disable

In any case, you should probably adjust your postgresql configuration to use proper ssl certificates and not snakeoil, if you're ever going to need an encrypted connection to your database.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.