Custom DNS/Host in Route53

Yetzederixx · November 13, 2023, 9:17pm

I have a dns entry db.whatever.example.com and would like to just point it at my Neon instance as part of a migration saving me the headache of having to rebuild. I get this error in dbeaver when I hit test connection. I probably have to do a migration anyway since the username password changed and there’s no way to set a custom password, but still it’d be nice.

SSL error: Received fatal alert: access_denied
Received fatal alert: access_denied

vmatt · November 16, 2023, 10:35pm

Hey, not sure if it’s only a password issue (thinking there can be some SSL certificate validation issue)
However, if you want to have an user with permanent password across your branches, I think you should be able to create a separate user (role), with custom password.
Manage Roles - Neon Docs

Mahmoud · November 20, 2023, 10:46am

Hey @Yetzederixx, just like @vmatt mentioned, you can create a custom role using SQL and set a specific password during the role creation process. Would that solve your issue?

Yetzederixx · November 21, 2023, 4:33pm

Nope, I can connect just fine in code/dbeaver to the provided route @Mahmoud @vmatt when I create a CNAME in Route53 that points to Neon and then try to use that route is when I get the error.

vmatt · November 23, 2023, 3:08pm

@Yetzederixx, it appears that the SSL certificate is not valid for your domain. It’s only valid for aws.neon.tech domains. For example, in my instance, the certificate is only valid if the domain ends with eu-central-1.aws.neon.tech as indicated by Subject: CN = *.eu-central-1.aws.neon.tech.

You can verify this by following the instructions in this DBA Stack Exchange post:

First, get the Python file from:

github.com

thusoy/postgres-mitm/blob/master/postgres_get_server_cert.py

#!/usr/bin/env python

import argparse
import socket
import ssl
import struct
import subprocess
import sys

try:
    from urlparse import urlparse
except ImportError:
    from urllib.parse import urlparse


def main():
    args = get_args()
    target = get_target_address_from_args(args)
    sock = socket.create_connection(target)
    try:

This file has been truncated. show original

Then run:

postgres_get_server_cert.py your.endpoint.aws.neon.tech:5432 | openssl x509 -noout -text

Copy Code

If you’re looking to save time and not replace the hostname, user, and password each time due to compute node changes with a new branch, there’s a solution. You can repoint an existing compute node from an old branch to a new one. Unfortunately, it’s only possible via the API and not through the UI. However, it’s a simple single request, which makes it quite straightforward.

You can find out how to do this in the Neon documentation under branch promotion:

@Mahmoud: The documentation for this process is somewhat buried in this guide. It might be beneficial to relocate the information to the Manage Computes wiki page.

@Yetzederixx, if above method doesn’t meet your needs, and you require your own URL for connections, the best alternative would be to set up a reverse proxy. This involves spinning up an EC2 instance and pointing your domain to that EC2. With this setup, you can generate your own certificates.
For guidance on setting up a reverse proxy, refer to this article: