Hi, I’m currently developing a Node.js based web app. I use MySQL 8 + Drizzle for local development.
When I started to test TiDB serverless, I was able to connect to TiDB via public endpoint with the following connection string
mysql://user:password@public_endpoint:4000/db_name?ssl={"rejectUnauthorized":true} from my laptop, however, when the same command was run by Github Action pipeline, I got the following error:
Reading config file ‘/home/runner/work/myproject/drizzle.config.ts’
(https://github.com/username/myproject/actions/runs/***/job/***#step:7:46)TypeError: Unknown SSL profile ‘{rejectUnauthorized:true}’
at _ConnectionConfig.getSSLProfile (/home/runner/work/myproject/node_modules/drizzle-kit/bin.cjs:116078:17)
at new _ConnectionConfig (/home/runner/work/myproject/node_modules/drizzle-kit/bin.cjs:115986:72)
I tried to google the error about 2 hours and unable to find any solution. Wondering if someone here could point me to the right direction.
Many thanks.
To resolve the SSL profile error when connecting to TiDB Serverless from a GitHub Action workflow, you can follow these steps:
-
Ensure TLS Connection: TiDB Serverless requires a secure connection when using a public endpoint. Make sure that the USE_SSL environment variable is set to true(Connect to TiDB with node-mysql2 | PingCAP Docs).
-
Set Up Environment Variables: In your GitHub Action workflow, you need to set up the environment variables correctly. Here is an example of how you can set up these variables in your GitHub Action workflow:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '16'
- name: Install dependencies
run: npm install
- name: Set up environment variables
run: |
echo "TIDB_HOST=${{ secrets.TIDB_HOST }}" >> $GITHUB_ENV
echo "TIDB_PORT=4000" >> $GITHUB_ENV
echo "TIDB_USER=${{ secrets.TIDB_USER }}" >> $GITHUB_ENV
echo "TIDB_PASSWORD=${{ secrets.TIDB_PASSWORD }}" >> $GITHUB_ENV
echo "TIDB_DATABASE=${{ secrets.TIDB_DATABASE }}" >> $GITHUB_ENV
echo "USE_SSL=true" >> $GITHUB_ENV
- name: Run your tests
run: npm test
-
Modify Connection String: Instead of using the JSON format for the SSL profile in the connection string, you can use the environment variables to configure the SSL settings. Here is an example of how you can modify your connection string in your Node.js application:
const mysql = require('mysql2');
const connection = mysql.createConnection({
host: process.env.TIDB_HOST,
port: process.env.TIDB_PORT,
user: process.env.TIDB_USER,
password: process.env.TIDB_PASSWORD,
database: process.env.TIDB_DATABASE,
ssl: {
rejectUnauthorized: true,
},
});
connection.connect((err) => {
if (err) {
console.error('Error connecting to the database:', err);
return;
}
console.log('Connected to the database');
});
-
Use GitHub Secrets: Ensure that you store sensitive information such as TIDB_HOST, TIDB_USER, TIDB_PASSWORD, and TIDB_DATABASE in GitHub Secrets for security purposes. You can add these secrets in your GitHub repository settings under the “Secrets” section.
By following these steps, you should be able to resolve the SSL profile error and successfully connect to TiDB Serverless from your GitHub Action workflow.
: Connect to TiDB with node-mysql2 | PingCAP Docs
This worked on my laptop, but it failed in Github Actions pipeline
To troubleshoot the SSL profile error when connecting to TiDB Serverless from a GitHub Actions pipeline, you can follow these steps:
-
Check Environment Variables:
Ensure that all necessary environment variables (such as TIDB_CLOUD_API_PUBLIC_KEY, TIDB_CLOUD_API_PRIVATE_KEY, and GITHUB_TOKEN) are correctly set in your GitHub Actions workflow. These variables are crucial for authentication and connection setup.
-
Verify SSL Certificates:
Make sure that the SSL certificates required for the connection are correctly configured and accessible in the GitHub Actions environment. You might need to include steps in your workflow to download or set up these certificates.
-
Network Configuration:
Check if there are any network restrictions or firewall rules that might be blocking the connection from the GitHub Actions environment. Ensure that the GitHub Actions runners have the necessary permissions to access the TiDB Serverless instance.
-
Debugging Output:
Add debugging steps to your GitHub Actions workflow to print out the connection details and any error messages. This can help identify where the connection is failing. For example:
steps:
- name: Wait for TiDB Serverless branch to be ready
uses: tidbcloud/wait-for-tidbcloud-branch@v0
id: wait-for-branch
with:
token: ${{ secrets.GITHUB_TOKEN }}
public-key: ${{ secrets.TIDB_CLOUD_API_PUBLIC_KEY }}
private-key: ${{ secrets.TIDB_CLOUD_API_PRIVATE_KEY }}
- name: Test with TiDB Serverless branch
run: |
echo "The host is ${{ steps.wait-for-branch.outputs.host }}"
echo "The user is ${{ steps.wait-for-branch.outputs.user }}"
echo "The password is ${{ steps.wait-for-branch.outputs.password }}"
# Add your connection test command here
-
Check GitHub Actions Runner Logs:
Review the logs from the GitHub Actions runner to see if there are any specific error messages related to the SSL connection. This can provide more insight into what might be going wrong.
-
Local vs. CI Environment Differences:
Consider any differences between your local environment and the GitHub Actions environment. For example, differences in operating system, installed software versions, or network configurations could affect the connection.
-
Update Dependencies:
Ensure that all dependencies and tools used in your workflow are up-to-date. Sometimes, outdated libraries or tools can cause compatibility issues.
By following these steps, you should be able to identify and resolve the issue with the SSL profile error in your GitHub Actions pipeline.
: Integrate TiDB Serverless Branching (Beta) with GitHub | PingCAP Docs
Hi, @ccwukong. First things first, thanks for your liking of TiDB. You mentioned about it works well on your laptop, but doesn’t in GitHub Action. That might because you config a different OS in GitHub Action. So may I know your config file of Github Action pipeline?
Hi @CheeseWong,
Thanks for reply, here’s my GA workflow yaml file
name: Demo deployment
on:
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
environment: demo
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '18.x'
- run: yarn install
- run: yarn test
- run: yarn db:migrate
- run: CONNECTION_STRING=${{ secrets.CONNECTION_STRING }} yarn db:push
Hi @Mini256 . have you encountered this? Or do we have any example of GitHub Action? I am not familiar with Node.js. Thanks for helping.
hi @CheeseWong,
Thanks for the follow up, the problem is solved. I managed to figure out a way to create a self-signed cert in the GA workflow, and it works.
What I did:
- Generate a self-signed certificate and convert it from .pem to .crt
- Create a Github secret with the content of the .crt file
- Create a new .crt file using the Github secret in GA workflow
My updated Yaml file here:
name: Demo deployment
on:
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
environment: demo
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '18.x'
- run: yarn install
- run: yarn test
- run: mkdir -p /etc/ssl/certs/ || touch ca-certificates.crt || sudo echo "${{ secrets.CA_DATA }}" >> /etc/ssl/certs/ca-certificates.crt
- run: yarn db:migrate
- run: >-
DB_USER=${{ secrets.DB_USER }}
DB_PASS=${{ secrets.DB_PASS }}
DB_HOST=${{ vars.DB_HOST }}
DB_PORT=${{ vars.DB_PORT }}
DB_NAME=${{ vars.DB_NAME }}
DB_SSL_CA=/etc/ssl/certs/ca-certificates.crt
yarn db:push
Hope it could help others who have the same issue.
2 Likes