Questions tagged with Amazon Relational Database Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Invalid certificate for AWS RDS in ap-east-1

# Issue Hi. I created the AWS RDS Postgres database in ap-east-1 (Hong Kong) region and tried connecting to the database from my Java app with the following configuration: ``` jdbc:postgresql://${database-hostname}:${database-port}/${database-name}?ssl=true&sslmode=verify-full&sslrootcert=${AWS_RDS_CERT_PATH}/${AWS_RDS_CERT_NAME} ``` But I got the error: `unable to find valid certification path to requested target` # Investigation Then I tried to fetch the certificate from my newly created RDS instance with the OpenSSL version `1.1.1f` using the following command: ``` echo "" | openssl s_client -starttls postgres -connect $DB_HOSTNAME:5432 -showcerts -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > certificate.pem ``` [certificate.pem](https://www.amazon.com/clouddrive/share/iXXIxJe9fyGjpkwF7ykqq7pszqgbyCahRe4RZbjRnFT) Next, I downloaded Asia Pacific (Hong Kong) [PEM certificate](https://www.amazon.com/clouddrive/share/Yiid38jeib4WcnePsYG2mg169QGsud8HoR33KjZ34GC) from the [AWS Documentation page](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and tried to verify the RDS certificate using the following command: ``` openssl verify -verbose -x509_strict -CAfile $AWS_RDS_CA_PEM certificate.pem ``` Where the `AWS_RDS_CA_PEM` environment variable contains a path to AWS Certificate. And got the following result: ``` CN = database-1.cmr1eqjbhlka.ap-east-1.rds.amazonaws.com, OU = RDS, O = Amazon.com, L = Seattle, ST = Washington, C = US error 20 at 0 depth lookup: unable to get local issuer certificate error certificate.pem: verification failed ``` So maybe it happens because the AWS RDS servers are compromised and someone trying to implement [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Then I tried to get the AWS CA certificate information by issuing the following command: `openssl x509 -in $AWS_RDS_CA_PEM -noout -text`. And the result shows the strange validity: ``` ... Validity Not Before: May 25 21:30:33 2021 GMT Not After : May 25 22:30:33 2061 GMT ... ``` I checked the certificate information using AWS CLI command and got the following result: ![AWS CLI certificate result](/media/postImages/original/IMDnoyySPJQDqp0hR6QxOp4g) Could you please let me know whether AWS RDS `ap-east-1` servers are compromised or if it is just an issue on the AWS Documentation page? or it is both? **Update**: the AWS RDS instance shows that it uses `rds-ca-rsa2048-g1` for the certificate authority. I already tried [certificates from the amazonaws.cn](https://docs.amazonaws.cn/en_us/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) but nothing works for me. How to be sure that the AWS RDS connection is not compromised? I can export certificates from the AWS RDS and my programs can connect to AWS RDS but it would violate the whole idea of having certificates for TLS connection.
0
answers
0
votes
31
views
asked 20 days ago

Connection reset by peer: Lost connection to MySQL server during query ([Errno 54]

I have a python application that is querying a MySQL Database (v `8.0.28`) hosted on AWS RDS. The code in the application looks something like this: import pymysql from sqlalchemy import create_engine user = 'usr1' pwd = 'pwd1' host = 'aaaaa.us-west-1.rds.amazonaws.com' port = 3306 database = 'db1' engine = create_engine("mysql+pymysql://{}:{}@{}/{}".format(user,pwd,host,database)) con = engine.connect() query = ''' select * from db1.tbl1 ''' df = pd.read_sql(query, con) con.close() The application triggers a query upon loading and query returns successful results. However, after a few minutes (2-3) of idle time, I get an error when it tries to query the DB again / establish a connection. Error traceback: File "/Applications/Anaconda/anaconda3/lib/python3.9/site-packages/pymysql/connections.py", line 692, in _read_packet packet_header = self._read_bytes(4) File "/Applications/Anaconda/anaconda3/lib/python3.9/site-packages/pymysql/connections.py", line 738, in _read_bytes raise err.OperationalError( sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError) (2013, 'Lost connection to MySQL server during query ([Errno 54] Connection reset by peer)') [SQL: SELECT users.id AS users_id, users.fullname AS users_fullname, users.email AS users_email, users.password AS users_password, users.name AS users_name FROM users WHERE users.id = %(pk_1)s] [parameters: {'pk_1': 1}] (Background on this error at: https://sqlalche.me/e/14/e3q8) We're trying to isolate the issue to whether this in on the Application side or DB host side. https://aws.amazon.com/rds/mysql/
1
answers
0
votes
60
views
asked a month ago