By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can not connect to Postgres over DB Proxy (TLS issue)

0

Hello

I have created AWS RDS DB Proxy in Terraform to connect through it with our application. We are using ssl root certs for encryption. And everything works fine if connect from app to DB directly. But, when we have switched to proxy then received the following error message: {"level":"error","time":1711237046982,"serviceContext":{"version":"unknown"},"context":"Nest.js","err":{"type":"Object","message":"unable to get local issuer certificate","stack":"Error: unable to get local issuer certificate\n at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)\n at TLSSocket.emit (node:events:517:28)\n at TLSSocket._finishInit (node:_tls_wrap:1070:8)\n at ssl.onhandshakedone (node:_tls_wrap:856:12)"},"data":"ExceptionHandler","message":"error"} i do not understand why this happens so as DB Proxy should not use other tls root certs versions then was provided during the db creation. Could some one can help how to fix it? Thanks.

Topics
DatabaseMigration & ModernizationAnalyticsInternet of Things (IoT)
Tags
PostgreSQLAmazon Relational Database ServiceDatabaseTransport Layer Security (TLS)Amazon RDS Proxy
Language
English
kostyanius
asked a month ago337 views
4 Answers
1

Your client application is unable to verify the SSL certificate chain provided by your AWS RDS DB Proxy. To troubleshoot, you can run the following command:

openssl s_client -connect <rds-proxy-endpoint>:<port> -showcerts

This command establishes a TLS/SSL connection to your AWS RDS DB Proxy and provides diagnostic information about the handshake and the certificate chain.

Key source: OpenSSL s_client documentation.

Note: While this may not directly resolve your issue, it will provide valuable insights into the underlying cause.

profile picture
EXPERT
Osvaldo Marte
answered a month ago
  • Osvaldo Marte EXPERT
    a month ago

    It seems that your RDS instance is not properly configured to support SSL connections. Could you please revisit and follow the steps outlined in the guide Using SSL/TLS to encrypt a connection to a DB instance or cluster to ensure that all configurations are correct?

  • kostyanius
    a month ago

    Hello.

    Here is the output:

    ubuntu@pc:~$ openssl s_client -connect MY_PROXY_ENDPOINT_HERE.us-east-1.rds.amazonaws.com:5432 -showcerts

CONNECTED(00000003)

    I do not observe any information related with ssl handshake unfortunately.

    If to connect to DB there is also no any useful information.

    ubuntu@pc:~$ openssl s_client -connect MY_DB_ENDPOINT_HERE.us-east-1.rds.amazonaws.com:5432 -showcerts
CONNECTED(00000003)
4037E0C8F57F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 369 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
  • kostyanius
    a month ago

    I have checked our DB server configuration. There is only option to change Root CA and nothing else in case of ssl adjustments. And, as i told before our app can connect over SSL to DB directly using the mentioned cert and its Root CA (rds-ca-rsa2048-g1), but not via DB proxy. So, it looks like that everything is fine with DB server itself.

    ubuntu@pc:~$ psql "host=MY_DB_HOST_HERE.us-east-1.rds.amazonaws.com port=5432 dbname=postgres user=postgres sslmode=require sslrootcert=cert.pem"
Password for user postgres:
psql (15.6 (Ubuntu 15.6-1.pgdg22.04+1), server 15.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

postgres=>

    now lets connect to db over proxy:

    psql "host=MY_RDS_PROXY_HERE.us-east-1.rds.amazonaws.com port=5432 dbname=postgres user=postgres sslmode=require sslrootcert=cert.pem"
psql: error: connection to server at "MY_DB_PROXY_HERE.us-east-1.rds.amazonaws.com" (SOME INTERNAL IP HERE), port 5432 failed: SSL error: certificate verify failed

    update: After adding proxy endpoint resource in Terraform i have managed to connect to db proxy in command line:

    ubuntu@pc:~$ psql "host=MY_DB_PROXY_HERE.us-east-1.rds.amazonaws.com port=5432 dbname=postgres user=postgres sslmode=require sslrootcert=cert.pem"
Password for user postgres:

    But still getting the same SSL error in app even after it redeployment and updating value for proxy endpoint in parameter store. Any ideas where is an issue?

1

Download the correct CA certificate from the AWS RDS console (typically the RDS combined CA bundle). Make sure it's the one used to sign the Proxy's certificate.

profile picture
EXPERT
Sedat Salman
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • kostyanius
    a month ago

    Done. Downloaded this: https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem our db uses Root CA rds-ca-rsa2048-g1 Updated the cert in parameter store, redeployed the app, but still getting the same error if to connect through the DB Proxy:

    {"level":"error","time":1711292117599,"serviceContext":{"version":"unknown"},"context":"Nest.js","err":{"type":"Object","message":"unable to get local issuer certificate","stack":"Error: unable to get local issuer certificate\n at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)\n at TLSSocket.emit (node:events:517:28)\n at TLSSocket._finishInit (node:_tls_wrap:1070:8)\n at ssl.onhandshakedone (node:_tls_wrap:856:12)"},"data":"ExceptionHandler","message":"error"}
0

Enter image description here Trying to update the target and associate it with the DB but getting such notification. And even to ignore it and select the db and press "save changes" and refresh the page the DB still not absent in the drop down menu of the associated db for the targets. Very frustrating.

Enter image description here

Personally for me it looks like a bug or a glitch on AWS side. Cause it is against any logic. There is no any error messages that db can not be added. IT is just absent after has been added!

kostyanius
answered a month ago
0

Well. Have a solution. Finally. (just compare two command outputs against DB and PROXY) See "CN =" field and see the difference.

openssl s_client -connect YOUR_DB_PROXY_HERE:5432 -starttls postgres -CAfile cert.pem

CN = Starfield Services Root Certificate Authority - G2

openssl s_client -connect YOUR_DB_HOST_HERE:5432 -starttls postgres -CAfile cert.pem

CN = Amazon RDS us-east-1 Subordinate CA RSA2048 G1.A.8, L = Seattle

Enter image description here

As it turned out DB proxy uses different ROOT CA ( Starfield Services Root Certificate Authority - G2) than is being used in the RDS database (Amazon RDS us-east-1 Subordinate CA RSA2048 G1.A.8, L = Seattle). Why is that? Why there is no any information about it? Wasted 2 days on that!!! Question is addressed to AWS staff here! And why in AWS DB Proxy there is no any option to choose the Root CA as it is in AWS RDS DB? Do you think that is OK? NO!

Thanks.

kostyanius
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content