Summary

SSL can be enabled in the database connectivity to the Postgres server via /hipchat-scm/chef-repo/cookbooks/hipchat_postgres/attributes/default.rb. This change doesn't have any effect on Crowd. Crowd will still try to connect to the database without SSL.

Environment

HipChat Data Center 3.0.1

Steps to Reproduce

1. Update /hipchat-scm/chef-repo/cookbooks/hipchat_postgres/attributes/default.rb as root with:

   default[:hipchat][:postgres][:sslmode] = "enable"
   

2. Run Chef

   cs
   

3. Review the hibernate.connection.url property in /etc/crowd/crowd.cfg.xml

Expected Results

You should see:

<property name="hibernate.connection.url">jdbc:postgresql://$IP:5432/hipchat_postgres?ssl=true</property>

Actual Results

You don't see the ?ssl=true part

Notes

In /var/log/hipchat/atlassian-crowd.log, you will see exceptions similar to:

2017-08-23 04:13:41,576 C3P0PooledConnectionPoolManager[identityToken->z8kflt9q3ormlza32xgd|4d4ba27b]-HelperThread-#2 WARN [mchange.v2.resourcepool.BasicResourcePool] com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@743c31ed -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Last acquisition attempt exception: 
org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "$IP", user "$USER", database "$DB", SSL off

Workaround

Manually change to /etc/crowd/crowd.cfg.xml and make it persist over upgrades as indicated in How to change files maintained by Chef in HipChat Server.