AWS Aurora PostgreSQL - x509: certificate signed by unknown authority

Question

I have a (slight) working understanding of x509 certs and I've been trying to understand why the instructions I followed aren't working.

I followed https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html which simply says, connect with sslmode=verify-ca (or verify-full ) and sslrootcert=$CERTPATH , where $CERTPATH is the path to cert they provide in the first paragraph of the guide. Doing that I get x509: certificate signed by unknown authority .

Debugging this a bit, I (with my bad understanding of x509) expected the RDS to respond with some cert with CN=*.something.us-west-2.rds.amazonaws.com (the database) issued by something like CN=Amazon RDS us-west-2 2019 CA with an intermediate for chaining the CN=Amazon RDS us-west-2 2019 CA cert to Amazon RDS Root 2019 CA and Amazon RDS Root 2019 CA is our sslrootcert .

What I see is a cert with CN=*.something.us-west-2.rds.amazonaws.com issued by OU=Server CA 1B, CN=Amazon and an intermediate from CN=Amazon,OU=Server CA 1B to Amazon Root CA 1 - Amazon's root cert on amazontrust.com from https://www.amazontrust.com/repository/AmazonRootCA1.pem . So psql "postgres://.../dbname?sslmode=verify-ca&sslrootcert=AmazonRootCA1.pem" works just fine.

Is Aurora misconfigured somehow? Am I doing something slightly wrong? I figure using sslrootcert=AmazonRootCA1.pem isn't terrible but I want to understand the piece I'm missing, mentally. Any help is appreciated.

Answer 1

I also got the error with the below rds bundle from Aurora Doc: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html

But i tried other ca cert given in same wiki and it resolved "x509 unknown authority" issue and client is able to verify root cert. https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem