adds DATABASE_SSL_KEY_BASE64 for pg connection

[Jaredude]

DATABASE_SSL_KEY_BASE64 takes priority over DATABASE_SSL env var

If neither are provided, no ssl value will be used. This allows for the usage of PGSSLMODE

for example, using either of these two will establish a secure connection to the Postgres server
DATABASE_SSL=true
PGSSLMODE=verify-full

Using the following will override the above and allow you to pass your self-signed certificate to create a secure connection
DATABASE_SSL_KEY_BASE64=

Using neither of the flags allows using the unsafe/not recommended PGSSLMODE=no-verify

Addresses issue #1598

[HenryHengZJ]

awesome this looks good! thanks man @Jaredude !

[dkindlund]

Looking forward to using this new feature, once the PR is merged! 👍 Thanks again, @Jaredude!

[inno-elon]

how do you obtain the Postgres SSL certificate encoded in base64? I can't get SSL to work with Postgres

[dkindlund]

how do you obtain the Postgres SSL certificate encoded in base64? I can't get SSL to work with Postgres

Hey @inno-elon , you can use a tool like openssl to extract the X.509 SSL/TLS certificate from your Postgres server. The format is this:

openssl s_client -showcerts <DATABASE_IP>:5432

In that initial output, you should see base64 text returned from the server wrapped in a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- block. You want to copy that entire block of text (including the BEGIN/END lines) and set that as your DATABASE_SSL_KEY_BASE64 value, accordingly.

[harvetech]

btw is this even a valif falg PGSSLMODE=no-verify ? I don't see this as an option here https://www.postgresql.org/docs/current/libpq-ssl.html