Configuring Wiki.js to use an AWS RDS Postgres instance

[1stNox]

OS: Kubernetes 1.25
Pod Image: requarks/wiki:2
Database Engine: Postgres 15.3
Database Host: AWS RDS Postgres
Network: Private (using VPC)

Hello,
I am having issues setting up a wiki.js deployment using AWS EKS and AWS RDS.
The pod running wiki.js is not able to establish a connection with my Postgres DB. It always mentions the pg_hba.conf after the 10th retry.
I already tested if I had made a mistake setting up the network but it worked fine using a pgAdmin4 WebClient deployment. The pgAdmin4 deployment used the exact same infrastructure, I just changed the image and added 3 env vars.
So it is probably no networking stuff. Otherwise the wiki.js deployment couldn't reach the database to tell me about the pg_hba.conf. Does anyone know what I could do to solve the issue?

Greetings,
1stNox

[6XGate]

You must enable SSL, but wiki.js doesn't support providing a CA bundle to the driver.

[LuccaPrado]

If by any reason you got here looking for the answer:
You need to download the pem based on this page by aws

then on config.yml you need to adjust with this under db:

sslOptions:
  auto: false
  ca: pathToYour.pem

[jvmatl]

So, in case this is useful to anybody. I, too, got blocked here for a while:

I'm running wiki.js in a docker container under docker compose (I know, don't judge) on an EC2 instance and could not get wiki.js to authenticate to my PostgreSQL database running in AWS RDS.

Eventually, I determined the problem was

1. RDS Postgresql is configured by default to require SSL (TLS)
   • Supposedly, this can be changed: you can modify rds.force_ssl in the RDS "Database Parameter Group" and set it false.
   • for what it's worth, changing this did not change anything for me
2. Wiki.js, by default, tries to connect to postgres via TLS
3. AWS uses their own CA to sign the RDS TLS certs, and wiki.js doesn't trust that CA, so the connection fails because it can't prove the psql server is legit.

Lucca (Above) is correct - the "right" fix is to get wiki.js (specifically, the postgres driver it's using) to use the amazon ca.pem file to authenticate the remote server. I tried every magic trick I could think of, but could not get this to work inside the stock docker container - I could mount the pem file and make it visible inside the container, but I don't know what combination of environment variables and black magic would make it actually look at the file.

So, my plan B was to configure the postgres driver to require, but not validate, the TLS session to postgres. The solution came down to setting this environment variable in the docker container: PGSSLMODE="require" -- with this flag, wiki.js was able to connect to my RDS server via TLS, but it did not complain about the certificate. Maybe this will help you. (side note: https://www.postgresql.org/docs/current/libpq-envars.html )

HOWEVER: Make sure you understand the risks. By setting PGSSLMODE to "require", you are instructing the postgres driver to get an encrypted connection to something that is probably your postgres server, but could be a man-in-the middle that is hijacking your traffic. In my case, the low value of what was being stored, combined with the fact that both server and RDS were running in the same VPC, so a MiTM attack would require penetrating AWS's VPC security, was IMO secure enough that I decided the cost/benefit tradeoff was worth it. If your wiki has, I dunno, confidential medical data or valuable financial data, or Taylor Swift's phone number, you might make another call.