Connect App Runner with DocumentDB

Hi Justin, thank you for your quick reply.

I already tried that, but still no luck. I've re-created the VPC, security groups, and everything. I continue having the following timeout error:

A timeout occurred after 30000ms selecting a server using CompositeServerSelector.

I tried also using a DocumentDB cluster with TLS disabled and had the same error

Hey Mario, can you share the App Runner code that you are using to connect to the database from within the application? Please change or redact any sensitive information such as username and/or password.

Hi Justin! Here is a summary of how my App Runner creates a connection to DocumentDB. It works fine when trying to connect a Lamba Function with that DocumentDB cluster (tls is enabled), but not when trying to connect the App Runner.

private IMongoDatabase CreateConnection()
{
	var template = "mongodb://{0}:{1}@{2}/?tls=true&replicaSet=rs0&readpreference=secondaryPreferred";
	var username = "<user>";
	var password = "<password>";
	var clusterEndpoint = "<cluster-endpoint:27017>";
	var connectionString = string.Format(template, username, password, clusterEndpoint);
	var databaseName = "<database-name>";

	return new MongoClient(connectionString).GetDatabase(databaseName);
}

With the same code, I get the following error messages on the App Runner:

A timeout occurred after 30000ms selecting a server using CompositeServerSelector
The remote certificate is invalid because of errors in the certificate chain.

I tried registering this certificate https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem when the app starts, but still does not work :(

var pathToCAFile = "PATH\global-bundle.pem";
var localTrustStore = new X509Store(StoreName.Root);
var certificateCollection = new X509Certificate2Collection();
certificateCollection.Import(pathToCAFile);

localTrustStore.Open(OpenFlags.ReadWrite);
localTrustStore.AddRange(certificateCollection);
localTrustStore.Close();

I finally fixed the issue. Following some recommendations I've found in this post: https://stackoverflow.com/questions/67013408/cert-error-connecting-to-aws-documentdb-from-docker-c-sharp-app

I've included the following lines on my dockerfile:

# add AWS RDS CA bundle
ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /tmp/rds-ca/aws-rds-ca-bundle.pem
# split the bundle into individual certs (prefixed with xx)
# see http://blog.swwomm.com/2015/02/importing-new-rds-ca-certificate-into.html
RUN cd /tmp/rds-ca && cat aws-rds-ca-bundle.pem|awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ""}' \
    && for CERT in /tmp/rds-ca/cert*; do mv $CERT /usr/local/share/ca-certificates/aws-rds-ca-$(basename $CERT).crt; done \
    && rm -rf /tmp/rds-ca \
    && update-ca-certificates

I just want to thank Justin who helped me a lot with the walkthrough guide he provided me.

I am glad you resolved your problem! I'm always happy to help.