By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't connect to RDS - ERR_TLS_CERT_ALTNAME_INVALID!

0

I can't connect to RDS using TLS. Initially, the issue is probably with the self-signed cert - using "rejectunauthorized: false" works, but I don't want to do that. Then I found out we can pass certificates. I have downloaded the global-bundle.pem and passed it, but I was getting an "ERR_TLS_CERT_ALTNAME_INVALID" error

"ERR_TLS_CERT_ALTNAME_INVALID" typically occurs when there's a mismatch between the domain name in the URL that we are trying to access and the domain names listed in the SSL certificate installed on the server.

PS: The backend is Node js

Topics
DatabaseMigration & ModernizationAnalyticsInternet of Things (IoT)
Tags
PostgreSQLAmazon Relational Database ServiceDatabaseTransport Layer Security (TLS)
Language
English
Nithish
asked 15 days ago550 views
1 Answer
0
Accepted Answer

So, this is the error I got:

Hostname/IP does not match certificate's altnames: Host: pgssltest.cname.com. is not cert's CN: pgssltest.xxxxxxxxxxxx.region.rds.amazonaws.com

As the error implies, because the certificate provided by RDS contains a different domain name than the CNAME, it is treated as invalid.

To bypass this, we can use the following Nodejs code:

checkServerIdentity: (host: string, cert: tls.PeerCertificate) => {
          const error = tls.checkServerIdentity(host, cert);
          if (
            error &&
            !cert.subject.CN.endsWith(
              (process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION || "") +
                ".rds.amazonaws.com",
            )
          ) {
            return error;
          }
        },
      }
Nithish
answered 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content