- Le plus récent
- Le plus de votes
- La plupart des commentaires
Your client application is unable to verify the SSL certificate chain provided by your AWS RDS DB Proxy. To troubleshoot, you can run the following command:
openssl s_client -connect <rds-proxy-endpoint>:<port> -showcerts
This command establishes a TLS/SSL connection to your AWS RDS DB Proxy and provides diagnostic information about the handshake and the certificate chain.
Key source: OpenSSL s_client documentation.
Note: While this may not directly resolve your issue, it will provide valuable insights into the underlying cause.
Download the correct CA certificate from the AWS RDS console (typically the RDS combined CA bundle). Make sure it's the one used to sign the Proxy's certificate.
Done. Downloaded this: https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem our db uses Root CA rds-ca-rsa2048-g1 Updated the cert in parameter store, redeployed the app, but still getting the same error if to connect through the DB Proxy:
{"level":"error","time":1711292117599,"serviceContext":{"version":"unknown"},"context":"Nest.js","err":{"type":"Object","message":"unable to get local issuer certificate","stack":"Error: unable to get local issuer certificate\n at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)\n at TLSSocket.emit (node:events:517:28)\n at TLSSocket._finishInit (node:_tls_wrap:1070:8)\n at ssl.onhandshakedone (node:_tls_wrap:856:12)"},"data":"ExceptionHandler","message":"error"}
Trying to update the target and associate it with the DB but getting such notification. And even to ignore it and select the db and press "save changes" and refresh the page the DB still not absent in the drop down menu of the associated db for the targets. Very frustrating.
Personally for me it looks like a bug or a glitch on AWS side. Cause it is against any logic. There is no any error messages that db can not be added. IT is just absent after has been added!
Well. Have a solution. Finally. (just compare two command outputs against DB and PROXY) See "CN =" field and see the difference.
openssl s_client -connect YOUR_DB_PROXY_HERE:5432 -starttls postgres -CAfile cert.pem
CN = Starfield Services Root Certificate Authority - G2
openssl s_client -connect YOUR_DB_HOST_HERE:5432 -starttls postgres -CAfile cert.pem
CN = Amazon RDS us-east-1 Subordinate CA RSA2048 G1.A.8, L = Seattle
As it turned out DB proxy uses different ROOT CA ( Starfield Services Root Certificate Authority - G2) than is being used in the RDS database (Amazon RDS us-east-1 Subordinate CA RSA2048 G1.A.8, L = Seattle). Why is that? Why there is no any information about it? Wasted 2 days on that!!! Question is addressed to AWS staff here! And why in AWS DB Proxy there is no any option to choose the Root CA as it is in AWS RDS DB? Do you think that is OK? NO!
Thanks.
Contenus pertinents
- demandé il y a un an
- demandé il y a 4 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
It seems that your RDS instance is not properly configured to support SSL connections. Could you please revisit and follow the steps outlined in the guide Using SSL/TLS to encrypt a connection to a DB instance or cluster to ensure that all configurations are correct?
Hello.
Here is the output:
I do not observe any information related with ssl handshake unfortunately.
If to connect to DB there is also no any useful information.
I have checked our DB server configuration. There is only option to change Root CA and nothing else in case of ssl adjustments. And, as i told before our app can connect over SSL to DB directly using the mentioned cert and its Root CA (rds-ca-rsa2048-g1), but not via DB proxy. So, it looks like that everything is fine with DB server itself.
now lets connect to db over proxy:
update: After adding proxy endpoint resource in Terraform i have managed to connect to db proxy in command line:
But still getting the same SSL error in app even after it redeployment and updating value for proxy endpoint in parameter store. Any ideas where is an issue?