I am working on a NestJS application using TypeORM with a MySQL database, and both the backend and the database are deployed on Google Cloud. I’ve implemented SSL to secure communication between the backend and the database. The configuration for the SSL certificates is as follows:
1) HTTPS Configuration in main.ts
const httpsOptions = sslCertificateFolder
? {
key: fs
.readFileSync(`./certificate/${sslCertificateFolder}/client-key.pem`)
.toString(),
cert: fs
.readFileSync(`./certificate/${sslCertificateFolder}/client-cert.pem`)
.toString(),
ca: fs
.readFileSync(`./certificate/${sslCertificateFolder}/server-ca.pem`)
.toString(),
}
: undefined;
const app = await NestFactory.create(AppModule, { httpsOptions });
2.TypeORM Database Connection in app.module.ts
@Module({
imports: [
ConfigModule.forRoot({
envFilePath: [`environments/${environment}.env`],
isGlobal: true,
}),
TypeOrmModule.forRootAsync({
imports: [ConfigModule],
inject: [ConfigService],
useFactory: async (configService: ConfigService) => {
try {
const sslCertificateFolder =
process.env.NODE_IS_LOCAL == 'true'
? null
: process.env.NODE_ENV === 'development'
? 'ssl-dev'
: process.env.NODE_ENV === 'staging'
? 'ssl-staging'
: process.env.NODE_ENV === 'production'
? 'ssl-production'
: null;
return {
type: 'mysql',
host: configService.get('DB_HOST'),
port: configService.get('DB_PORT'),
username: configService.get('DB_USER'),
password: configService.get('DB_PASSWORD'),
database: configService.get('DB_NAME'),
entities: [`${__dirname}/**/*.entity{.ts,.js}`],
charset: 'utf8mb4',
collation: 'utf8mb4_unicode_ci',
synchronize: false,
logging: false,
options: { trustServerCertificate: true },
ssl: sslCertificateFolder
? {
rejectUnauthorized: false,
ca: fs
.readFileSync(
`./certificate/${sslCertificateFolder}/server-ca.pem`,
)
.toString(),
key: fs
.readFileSync(
`./certificate/${sslCertificateFolder}/client-key.pem`,
)
.toString(),
cert: fs
.readFileSync(
`./certificate/${sslCertificateFolder}/client-cert.pem`,
)
.toString(),
}
: undefined,
};
} catch (error) {
console.log('DB connection error ======>', error);
}
},
}),
],
})
export class AppModule {}
3) Testing via curl -v https://api.example.com
i$
* Trying 143.260.734.221:443...
* TCP_NODELAY set
* Connected to api.barrythebonsai.com (43.260.734.221) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=api.barrythebonsai.com
* start date: Dec 4 00:48:27 2024 GMT
* expire date: Mar 4 01:35:17 2025 GMT
* subjectAltName: host "api.barrythebonsai.com" matched cert's "api.barrythebonsai.com"
* issuer: C=US; O=Google Trust Services; CN=WR3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x561816b34233d650)
> GET / HTTP/2
> Host: api.example.com
> user-agent: curl/7.68.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 503
< content-type: text/plain
< x-cloud-trace-context: dddda9b4ddf23423tert4129d09510fba28fe5b278d29;o=1
< date: Wed, 04 Dec 2024 13:16:54 GMT
< server: Google Frontend
< content-length: 19
<
* Connection #0 to host api.barrythebonsai.com left intact
The 503 error could indicate a server issue or a timeout.
When I start my server locally (npm run start:dev), I receive the following deprecation warning:
(node:196372) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
The Problem:
-
When I run the backend locally and connect to the live MySQL database using this configuration, everything works fine.
-
However, after deploying to Google Cloud and trying to call an API, the request takes a long time to respond and ultimately fails with a “Service Unavailable” error.
Problem
When I run the backend locally and connect to the live MySQL database using this configuration, everything works perfectly. However, when I deploy the backend to Google Cloud and try to call an API:
The request takes a long time to respond.
It ultimately fails with the error message: "Service Unavailable".
New contributor
rajesh parmar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.