3 days ago
Full error message and stack trace here: [https://gist.github.com/ikkyuzaa/bdac1f57acfac737f0ed003de51a5944]
3 Replies
3 days ago
Why on the first hand, you are using { rejectUnauthorized: true }?
I guess Railway won't provide the CA certificate to individual users! It bypass the security certificate, and makes the system vulnerable to Man-in-the-Middle (MITM) attacks
Best would be to not disable that attribute
Hello Duchess,
Thank you for your response.
My intention of using rejectUnauthorized: true from the beginning is precisely for security reasons, as I want to ensure my application's connection to the PostgreSQL database is secure and protected against Man-in-the-Middle (MITM) attacks, especially as I'm preparing this project for a production-like environment.
The Error: self-signed certificate in certificate chain arises because Node.js, with rejectUnauthorized: true, does not implicitly trust the certificate provided by Railway's TCP Proxy for the database. This usually means the Root CA that signed the *.[up.railway.app](up.railway.app) certificate is not in Node.js's default trust store.
If Railway does not provide the CA certificate to individual users, could you please advise on the recommended and secure way to connect to a Railway PostgreSQL database from a Node.js application while keeping rejectUnauthorized: true enabled?
Is there an alternative method or specific configuration required to ensure the SSL connection is trusted by Node.js, without compromising security?
Thank you for your guidance.
3 days ago
ikkyuzaa, I guess you are referring to me! But I am not duchess 
As I have presented my opinion already, I hope someone tells you the way of doing that (if its possible)
3 days ago
Hey ikkyuzaa, i am not sure if you are aware that all your services on railway by default talk to one another on a private network. When you create a db you get a private endpoint that is only accessible by applications that belongs to that project.
You also get a public endpoint but that can be removed by going into Settings -> Public Networking and removing the TCP proxy. This is recommended for production databases as it prevents public connections.
if you are ever used AWS, think of removing the public endpoint as putting it in a private subnet.
I believe sslmode is only recommended for publicly accessible endpoints.