RDS proxy error : ERROR 2026 (HY000): TLS/SSL error: unable to get local issuer certificate

Question

I have RDS proxy setup with ssl required. I am trying to connnect to RDS proxy with mysql client like

mysql -h host -u user -p"password" --ssl_ca=global-bundle.pem

I am getting below error,

ERROR 2026 (HY000): TLS/SSL error: unable to get local issuer certificate

Below is the IAM policy ,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": [
                "arn:aws....arn"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "aws managed key arn",
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "secretsmanager.us-west-2.amazonaws.com"
                }
            }
        }
    ]
}

If I disable SSL, it works. Not sure what is missing here. Please advice.

Answer 1

This is problem connected with update to openssl v3, can be connected with change from Alpine 3.16 to Alpine 3.17 that has a newer version of OpenSSL.

Details here:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

You can read also issues:

https://github.com/dotnet/dotnet-docker/issues/4332

and

https://github.com/dotnet/dotnet-docker/discussions/4313

Here is soultion:

https://github.com/dotnet/dotnet-docker/issues/4332#issuecomment-1384196212

RUN sed -i 's/providers = provider_sect/providers = provider_sect\n\
ssl_conf = ssl_sect\n\
\n\
[ssl_sect]\n\
system_default = system_default_sect\n\
\n\
[system_default_sect]\n\
Options = UnsafeLegacyRenegotiation/' /etc/ssl/openssl.cnf

If you want to skip ssl for mysql 5 you can use flags

--ssl, --skip-ssl

and for 8

Use --ssl-mode=DISABLED instead of --ssl=0, --skip-ssl, or --disable-ssl.

https://dev.mysql.com/doc/refman/5.7/en/connection-options.html