I try to use deadpool_postgres to access a Postgres database from my Axum web app. I want/need to use a Postgres connection string in URL format to connect, which seems not to be supported by deadpool-postgres. So I have to use the Config object of the underlying tokio_postgres directly.
This worked fine for my local test database, but on the target system (in this case: a DigitalOcean App and hosted Postgres) I use sslmode=require. So I have to setup TLS for my database connection. Here is my code so far:
async fn create_pool(connection_string: &str) -> anyhow::Result<Pool> {
let pg_config = tokio_postgres::Config::from_str(connection_string)?;
let mgr_config = ManagerConfig {
recycling_method: RecyclingMethod::Fast
};
// https://docs.rs/rustls/latest/rustls/#getting-started
let mut root_store = rustls::RootCertStore::empty();
root_store.add_trust_anchors(
webpki_roots::TLS_SERVER_ROOTS
.iter()
.map(|ta| {
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
})
);
// https://crates.io/crates/tokio-postgres-rustls
let config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_store)
.with_no_client_auth();
let tls = tokio_postgres_rustls::MakeRustlsConnect::new(config);
let mgr = Manager::from_config(pg_config, tls, mgr_config);
Ok(Pool::builder(mgr).max_size(16).build()?)
}
In my logs I see:
Client auth requested but no cert/sigscheme available
Error occurred while creating a new object: error performing TLS handshake: invalid peer certificate: UnknownIssuer
I have basic knowledge about SSL/TLS, but not too deep. I can connect to the hosted database via psql from my local machine, so no special certificate should be required.
Any hint how to get this working would be highly appreciated!