连接到Postgres AWS RDS实例 - “证书验证失败”
[英]Connecting to Postgres AWS RDS Instance - “certificate verify failed”
问题描述
I started playing with AWS RDS a bit, I'm trying to connect my python client (local host - python 2.7, ubuntu 14.04) to the AWS RDS Postgres instance, using the certificate generated by AWS (during the instance launch). 
我开始使用AWS RDS了,我正在尝试使用AWS生成的证书(在实例启动期间)将我的python客户端(本地主机 - python 2.7,ubuntu 14.04)连接到AWS RDS Postgres实例。
conn = psycopg2.connect(database='db', user='db_user', password="pw",
host='xxxxx.rds.amazonaws.com', port='5432', sslmode='verify-full',
connect_timeout=10, sslrootcert = 'rds-combined-ca-bundle.pem')
But everytime I'm trying to connect I'm getting 但每当我试图连接时,我都会得到
Error SSL error: certificate verify failed
I'm not sure what I'm missing here, perhaps something related to the security groups? 我不确定我在这里缺少什么,也许是与安全组有关的东西? Am I using the wrong certificate? 我使用了错误的证书吗? If so, how do I create the right one? 如果是这样,我该如何创建合适的?
2 个解决方案
解决方案1
1 已采纳 2016-04-27 05:49:58
This is not an answer , but rather a suggestion: try fiddling with your security groups on their inbound rules. 这不是一个答案 ,而是一个建议:尝试在您的入站规则中摆弄您的安全组。 Start by making sure that you have a port open for postgres to your IP address. 首先确保您有一个端口打开postgres到您的IP地址。 If that fails, briefly test opening to everything and, whether that succeeds for fails, take the rule off again. 如果失败,请简单地测试对所有内容的开放,如果成功失败,请再次关闭该规则。 But if it succeeds you'll at least know the cause is to do with your communications protocols and not your credentials. 但如果成功,你至少知道原因是你的通信协议而不是你的凭据。 This is what just worked for me today. 这就是今天对我有用的东西。 --Now I myself am trying to figure out why I can connect when all connections are accepted, but not via my client IP address. - 现在我自己想弄清楚为什么我可以在接受所有连接时连接,但不能通过我的客户端IP地址。 HTH. HTH。
解决方案2
1 2017-08-22 11:27:47
In my case, I use the SQLAlchemy ORM and connect to postgres using psycopg2 (2.7.1). 在我的例子中,我使用SQLAlchemy ORM并使用psycopg2(2.7.1)连接到postgres。
So I do not need to call psycopg2.connect() directly, but instead set the SQLALCHEMY_DATABASE_URI variable: 所以我不需要直接调用psycopg2.connect() ,而是设置SQLALCHEMY_DATABASE_URI变量:
SQLALCHEMY_DATABASE_URI='postgres://dbuser:dbpwd@mypostgres.eu-central-1.rds.amazonaws.com:5432/msdb?sslmode=verify-full&sslrootcert=/etc/pki/pem/rds-combined-ca-bundle.pem' . SQLALCHEMY_DATABASE_URI='postgres://dbuser:dbpwd@mypostgres.eu-central-1.rds.amazonaws.com:5432/msdb?sslmode=verify-full&sslrootcert=/etc/pki/pem/rds-combined-ca-bundle.pem' 。
SQLAlchemy calls psycopg2.connect() on my behalf. SQLAlchemy代表我调用psycopg2.connect() 。 This is working for me. 这对我有用。
Looking at your code, it should behave the same way. 查看您的代码,它应该以相同的方式运行。
Per the AWS documentation , it might not work if your application does not accept certificate chains. 根据AWS文档 ,如果您的应用程序不接受证书链,它可能不起作用。 So you could try to solve the problem by using either the intermediate certificate specific to your region or the PKCS7 certificate bundle instead of rds-combined-ca-bundle.pem , and see if it works for you. 因此,您可以尝试使用特定于您所在区域的中间证书或PKCS7证书包而不是rds-combined-ca-bundle.pem来解决问题,并查看它是否适合您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.