I downloaded the latest global-bundle.pem as directed, and set my env vars:
PGSSLROOTCERT=/.../global-bundle.pem
PGSSLMODE=require
psql -h [myDatabaseName].us-east-1.rds.amazonaws.com -d postgres -U [myUserName]
psql: error: connection to server at ".......us-east-1.rds.amazonaws.com" ([ip_address]), port 5432 failed: SSL error: sslv3 alert handshake failure
keytool -printcert -v -file global-bundle.pem
yielded this:
Certificate[85]:
Owner: L=Seattle, CN=Amazon RDS us-east-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS us-east-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: f025124f1524f984cd5451696bd38760
Valid from: Tue May 25 12:41:55 HST 2021 until: Sun May 25 13:41:55 HST 2121
Certificate fingerprints:
SHA1: 24:A9:7B:91:CB:E8:69:11:19:05:76:C3:5C:36:AA:B4:FA:7B:25:DE
SHA256: 82:D9:9E:9E:40:97:03:04:4C:3F:88:6F:87:A0:40:8C:96:CD:74:DE:E2:C9:BA:92:0E:65:53:A3:2E:37:25:39
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
Which confirms the ECC us-east-1 (where my DB resides) certificate is present.
My DB cluster parameter group includes:
ssl=1, ssl_ciphers includes ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -connect .....us-east-1.rds.amazonaws.com:5432 -starttls postgres
yields:
CONNECTED(00000005)
0097844AF87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40
no peer certificate available
No client certificate CA names sent
SSL handshake has read 8 bytes and written 374 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
The problem seems to be that AWS is not supplying it's certificate in the handshake.
Everything worked fine before changing the certificate authority, and I can still connect without SSL.
Any ideas?