By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to get local issuer certificate - issue with new rds-ca-rsa2048-g1 CA

0

Currently we are connecting to MySQL RDS instance ( 5.7.mysql_aurora.2.11.5 version ) - SSL connection

Under the Database connection parameters, we specify SSL: ‘Amazon RDS’. As rds-ca-2019 is set to expire by August 22, 2024, we are in the process of updating the RDS CA to “rds-ca-rsa2048-g1”, but as soon as we update it, we are receiving the following error from the client while connecting it.

“Unable to get local issuer certificate”. 

Looking upon the reason and possible solutions, some suggest to manually download the certificate and add it to the Docker Image.
Is there any reason why we would need to do it ? Can we just not use ‘Amazon RDS’, and it should include the new cert bundle for rds-ca-rsa2048-g1, right ?

Can we just use ‘Amazon RDS’, and include the new cert in it ? If so, is there any timeline at which the new cert bundle will be added to Amazon RDS ?

Is there a timeline of when this issue will be fixed ? i.e include the certificate in the 'Amazon RDS' bundle/ currently we are using SSL: 'Amazon RDS'. We are trying to avoid the following: Manually download the cert and then add it to the Docker image, pull it from the image and use it

Kindly suggest some solutions. Thanks in Advance.

Topics
Migration & ModernizationAnalyticsDatabase
Tags
Amazon Relational Database ServiceAurora MySQL
Language
English
Manoj
asked a month ago596 views
3 Answers
2

Download the appropriate certificate bundle and ensure they are contained within your container to prevent any SSL certificate validation issues.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

profile picture
EXPERT
Gary Mclean
answered a month ago
profile picture
EXPERT
Riku_Kobayashi
reviewed a month ago
0

Thank you for the response. But the question is: Whether the "Amazon RDS" currently includes the certificate for "rds-ca-rsa2048-g1" ? Seems like it doesn't and that's why we get the error.

https://github.com/mysqljs/mysql/blob/master/Readme.md#ssl-options

. In here it does mention that "this profile is for connecting to an Amazon RDS server and contains the certificates from https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem and https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem"

Is there plan of including the certificate for "rds-ca-rsa2048-g1" so that we can use "Amazon RDS" as the value for SSL ? instead of manually downloading the bundle and adding the cert to the Docker image. Is that ( downloading the cert and adding it to the Docker image ) the only/suggested way ?

Thanks in Advance

Manoj
answered a month ago
0

In this I see the options for SSL: https://github.com/mysqljs/mysql/blob/master/Readme.md#ssl-options

For the option of SSL: 'Amazon RDS' it does mention that this profile is for connecting to an Amazon RDS server and contains the certificates from the combined bundle. Can we add the certificate for ** rds-ca-rsa2048-g1** as part of this bundle, and that should fix this. Thank you

Manoj
answered a month ago

Relevant content