I have a web app. I have developed out some basic features in production. I have put it into a live environment, once on Heroku and later on DigitalOcean. In live, the connection to the Postgres database needs to use TLS. In all permutations of code I have tried, the server starts correctly, but any attempt to load a page results in this error: thread 'actix-rt:worker:2' panicked at 'could not create db client from pool: Backend(Error { kind: Tls, cause: Some(Custom { kind: InvalidData, error: WebPKIError(UnknownIssuer) }) })'.
I have tried loading in the PEM file from AWS servers (in the case of Heroku, which uses AWS Postgres instances), adding webpki roots, rustls native certs, even forcing an authorizer that validates everything. Same error.
You can find a minimal version of the code that reproduces this error here. The error occurs at src/main.rs:33:47 (reproduced on Heroku).
Env variables in that app are:
- server_addr=0.0.0.0
- pg.*=(from my database instance)
- use_ssl=true
- use_rustls_root_store=false
- add_webpki_roots=false
- use_custom_cert_resolver=false
I can turn any of the last three variables (which control various portions of the TLS setup) on or off and it makes no difference. Same error message. The same with the optional db_ca_cert, which can be set with the name of the pem file or not set. It makes no difference.
I have solved the issue by converting my app to use sqlx instead. This works as expected on Heroku. I have not tried DigitalOcean, but I would expect it to work there, too.