By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSL error for MySQL RDS connection on Kubernetes

0

I have an environment where SSL is enabled for the db connection with Amazon RDS MySQL, and I'm seeing the following exception when the application starts: Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors\n\tat java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

I have downloaded the pem file from the Amazon website, and used the following scripts to first create the truststore, then to upload the secret to the environments.

Script to create the truststore:

mydir= "/myproject/scripts/python/secrets/resources" truststore=truststore.jks storepassword=password

split -p "-----BEGIN CERTIFICATE-----" /myproject/scripts/python/secrets/resources/dev-certs/eucentral/eu-central-1-bundle.pem rds-ca-

for CERT in rds-ca-; do alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.(CN=|CN = )//; print') echo "Importing $alias" keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt rm $CERT done

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias do expiry=keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }' echo " Certificate ${alias} expires in '$expiry'" done

Script to upload the secret to Kubernetes:

def create_certificate_secret(context, namespace, secret_name): certs = [] path = 'resources/'

if 'dev' in context:
    path = path + 'dev-certs/'

eu_central_certs = ['truststore.jks', 'eu-central-1-bundle.pem']

if 'eucentral' in context:
    path = path + 'eucentral/'
    certs = eu_central_certs

statement = "kubectl --context " + context + " -n " + namespace + " create secret generic " + secret_name

for cert in certs:
    statement = statement + " --from-file=" + cert + '=' + path + cert

os.system(statement)

When I run the script, I can see that the secret gets created, and it has inside the pem file and the truststore, and that all the certificates from the pem were included in the truststore. The mountPath looks correct too, so I am wondering why the above configuration doesn't work. One thing I noticed was that when I reran the first script, the truststore was recreated with the certificates in the output appearing in the same order, but when it got uploaded to Kubernetes, the encoded string associated with it in the secret was different. This didn't happen if I just upload it, without recreating the truststore.

Topics
AWS Well-Architected FrameworkJava DevelopmentDatabase
Tags
SecurityJava DevelopmentMySQL
Language
English
manuelag2023
asked a year ago80 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content