I have a (slight) working understanding of x509 certs and I've been trying to understand why the instructions I followed aren't working.
I followed https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html which simply says, connect with sslmode=verify-ca
(or verify-full
) and sslrootcert=$CERTPATH
, where $CERTPATH
is the path to cert they provide in the first paragraph of the guide. Doing that I get x509: certificate signed by unknown authority
.
Debugging this a bit, I (with my bad understanding of x509) expected the RDS to respond with some cert with CN=*.something.us-west-2.rds.amazonaws.com
(the database) issued by something like CN=Amazon RDS us-west-2 2019 CA
with an intermediate for chaining the CN=Amazon RDS us-west-2 2019 CA
cert to Amazon RDS Root 2019 CA
and Amazon RDS Root 2019 CA
is our sslrootcert
.
What I see is a cert with CN=*.something.us-west-2.rds.amazonaws.com
issued by OU=Server CA 1B, CN=Amazon
and an intermediate from CN=Amazon,OU=Server CA 1B
to Amazon Root CA 1
- Amazon's root cert on amazontrust.com
from https://www.amazontrust.com/repository/AmazonRootCA1.pem . So psql "postgres://.../dbname?sslmode=verify-ca&sslrootcert=AmazonRootCA1.pem"
works just fine.
Is Aurora misconfigured somehow? Am I doing something slightly wrong? I figure using sslrootcert=AmazonRootCA1.pem
isn't terrible but I want to understand the piece I'm missing, mentally. Any help is appreciated.
I also got the error with the below rds bundle from Aurora Doc: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
But i tried other ca cert given in same wiki and it resolved "x509 unknown authority" issue and client is able to verify root cert. https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.