0

I have an appication deployed on AWS EKS that uses an RDS PostgreSQL database. I have downloaded the intermediate and root certifcates, and added them to a trust store, as described in this post: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

However I cannot connect via SSL with sslmode=verify-full and I think it's because I do not have a copy of the certificate generated when RDS creates the DB instance and installs the certificate on the instance, as described here: https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ssl-connection/

The certificate generated when the database is provisioned has the hostname of the server as the Common Name, and I think this is used to veryify the host when a client connects.

Does anyone know where I can download this certiifacte or if I have misunderstood how to do this, tell me what it is I am doing wrong?

Thanks

SME
  • 489
  • 1
  • 10
  • 21

1 Answers1

0

You need to do multiple things:

  1. Download the ca certs from https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem.

  2. Import this cert into the ca-certs of the JDK/JRE in your docker image by using this command keytool -importcert -alias aws-certs -trustcacerts -file /path/to/global-bundle.pem -storepass changeit -cacerts -noprompt Note: You might have to run this command as root/sudo depending on the permissions on the cacerts file in the JDK_HOME/lib/security folder.

  3. Make changes to your postgres jdbc url as decribed here; basically adding sslmode=verify-full

Yogesh_D
  • 17,656
  • 10
  • 41
  • 55