Invalid certificate for AWS RDS in ap-east-1

Question

# Issue
Hi. I created the AWS RDS Postgres database in ap-east-1 (Hong Kong) region and tried connecting to the database from my Java app with the following configuration:
```
jdbc:postgresql://${database-hostname}:${database-port}/${database-name}?ssl=true&sslmode=verify-full&sslrootcert=${AWS_RDS_CERT_PATH}/${AWS_RDS_CERT_NAME}
```
But I got the error: `unable to find valid certification path to requested target`

# Investigation
Then I tried to fetch the certificate from my newly created RDS instance with the OpenSSL version `1.1.1f` using the following command:
```
echo "" | openssl s_client -starttls postgres -connect $DB_HOSTNAME:5432 -showcerts -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > certificate.pem
```
[certificate.pem](https://www.amazon.com/clouddrive/share/iXXIxJe9fyGjpkwF7ykqq7pszqgbyCahRe4RZbjRnFT)

Next, I downloaded Asia Pacific (Hong Kong) [PEM certificate](https://www.amazon.com/clouddrive/share/Yiid38jeib4WcnePsYG2mg169QGsud8HoR33KjZ34GC) from the [AWS Documentation page](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and tried to verify the RDS certificate using the following command:
```
openssl verify -verbose -x509_strict -CAfile $AWS_RDS_CA_PEM certificate.pem
```
Where the `AWS_RDS_CA_PEM` environment variable contains a path to AWS Certificate. And got the following result:
```
CN = database-1.cmr1eqjbhlka.ap-east-1.rds.amazonaws.com, OU = RDS, O = Amazon.com, L = Seattle, ST = Washington, C = US
error 20 at 0 depth lookup: unable to get local issuer certificate
error certificate.pem: verification failed
```
So maybe it happens because the AWS RDS servers are compromised and someone trying to implement [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack).

Then I tried to get the AWS CA certificate information by issuing the following command:

`openssl x509 -in $AWS_RDS_CA_PEM -noout -text`.
And the result shows the strange validity:
```
...
        Validity
            Not Before: May 25 21:30:33 2021 GMT
            Not After : May 25 22:30:33 2061 GMT
...
```
I checked the certificate information using AWS CLI command and got the following result:
![AWS CLI certificate result](/media/postImages/original/IMDnoyySPJQDqp0hR6QxOp4g)

Could you please let me know whether AWS RDS `ap-east-1` servers are compromised or if it is just an issue on the AWS Documentation page? or it is both?

**Update**: the AWS RDS instance shows that it uses `rds-ca-rsa2048-g1` for the certificate authority. I already tried [certificates from the amazonaws.cn](https://docs.amazonaws.cn/en_us/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) but nothing works for me.

How to be sure that the AWS RDS connection is not compromised? I can export certificates from the AWS RDS and my programs can connect to AWS RDS but it would violate the whole idea of having certificates for TLS connection.

Answer

Hi, Please submit a support case for assistance.

Invalid certificate for AWS RDS in ap-east-1

Issue

Investigation

Relevant content