SingleCertValidatingFactory not working with AWS RDS global-bundle.pem?

Question

I want to use the https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem which is stored in my application jar i.e. using classpath. So I tried using the below jdbc url

jdbc:postgresql://<db-endpoint>:5432/pgdb?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.SingleCertValidatingFactory&sslfactoryarg=classpath:global-bundle.pem

However, I am getting an exception

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Instead of classpath: I tried file: as well but same exception.

Without using SingleCertValidatingFactory, the .pem file works with file system path like below

jdbc:postgresql://<db-endpoint>:5432/pgdb?ssl=true&sslmode=verify-full&sslrootcert=/app/certs/global-bundle.pem

Does SingleCertValidatingFactory not work with .pem files? What do I need to do to make it work. Any help is appreciated.

score 0 · Accepted Answer · answered Nov 24 '22 at 12:33

SingleCertValidatingFactory does seem to work with us-east-1-bundle.pem. It seems to be having issue with global-bundle-pem which has all regional certificates combined. Another solution is to follow this doc to import each certificate into the JDK cacerts

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-sample-script

And then use

jdbc:postgresql://<db-endpoint>:5432/pgdb?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory

SingleCertValidatingFactory not working with AWS RDS global-bundle.pem?

1 Answers1