Solution: If using an external, hosted database, and that database requires TLS/SSL, you must provide a root certificate.
Reference for Postgres hosted on Azure: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
ODK Central uses slonik, which in turn uses node-postgres. SSL options: https://node-postgres.com/features/ssl
It appears that ca is the correct option. The node-postgres and azure docs are unclear as to which is which. These are not as beginner friendly as the ODK docs.
Migrations, still using knex, meanwhile use the option rejectUnauthorized: false.
- Download the Microsoft PEM certificate linked from https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security into my home directory on the server running Central (e.g. using wget).
cd ~
wget https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
-
vim ~/central/files/service/config.json.template(comments inserted for clarity, not in production config)
{
"default": {
"database": {
"host": "DBHOST",
"user": "DBUSER",
"password": "DBPASS",
"database": "DBNAME",
"ssl": {
"rejectUnauthorized": false, # this is for migrations using knex
ca: fs.readFileSync('/home/USERNAME/DigiCertGlobalRootG2.crt.pem').toString() # this is for ops using slonik
},
},
... # other config, eg. custom email