AWS RDS SSL issue: rds-ca-rsa2048-g1 rds-ca-rsa4096-g1 rds-ca-ecc384-g1 missing: unable to get local issuer certificate

[zumby]

rds-ca-rsa2048-g1 rds-ca-rsa4096-g1 rds-ca-ecc384-g1 missing inside the lambda/python:3.11 docker image. but also, most likely others as well.

We use sequelize with Node.js to run db-migration by AWS Lambda that connects to RDS that uses latest SSL certificates (rds-ca-rsa2048-g1) in our case

Error logs:

Sequelize CLI [Node: 16.20.2, CLI: 6.6.2, ORM: 6.34.0]
Loaded configuration file "../../tmp/config/config.json".
ERROR: unable to get local issuer certificate

Workarounds:

• install CA certificates into the system manually in Dockerfile (we did not test it fully)

  RUN curl https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem \
  -o /etc/pki/ca-trust/source/anchors/us-east-1-bundle.pem \
  && update-ca-trust

• use CA PEM directly by DB client (sequelize in our case)

Please fix this :)

[nicwise]

This appears to be in the non-docker lambda node20 "image", so I've had to pull down, and store, the cert. Should be in the base.