CRE-2025-0142

Supabase Self-Hosted: SSL Certificate Missing or Invalid ConfigurationMedium

Impact: 6/10

Mitigation: 5/10

CRE-2025-0142View on GitHub

SupabaseSslTLSCertificate VerificationSecurityConfigurationProxySelf-HostedSSL CertificatePublic

Description

Detects when Supabase services fail due to missing, invalid, or improperly configured SSL certificates.\nThis affects HTTPS endpoints, secure WebSocket connections, and can prevent clients from establishing\nsecure connections to the self-hosted Supabase instance.\n

Mitigation

IMMEDIATE:\n - Check certificate file existence: `ls -la /path/to/ssl/certs/`\n - Verify certificate permissions: `chmod 644 server.crt && chmod 600 server.key`\n - Test certificate validity: `openssl x509 -in server.crt -text -noout`\nCONFIGURATION:\n - Generate self-signed certificate for testing:\n ```bash\n openssl req -x509 -newkey rsa:2048 -nodes \\\n -keyout server.key -out server.crt -days 365 \\\n -subj "/CN=localhost"\n ```\n - Use Let's Encrypt for production certificates\n - Update Kong SSL configuration with correct certificate paths\n - Ensure certificate includes necessary Subject Alternative Names (SANs)\nVALIDATION:\n - Test HTTPS endpoint: `curl -k https://localhost:8443/`\n - Verify certificate chain: `openssl verify -verbose server.crt`\n - Check certificate expiration: `openssl x509 -in server.crt -noout -dates`\nPREVENTION:\n - Implement certificate expiration monitoring\n - Use automated certificate renewal (certbot)\n - Store certificates securely with proper access controls\n - Document SSL configuration requirements\n

References

• https://docs.konghq.com/latest/configure/auth/tls/
• https://letsencrypt.org/getting-started/
• https://www.openssl.org/docs/man1.1.1/man1/openssl-x509.html