Bump gocloud dependency to fix aws CA validation

[toadjaune]

Bump gocloud library dependency to include fixes from https://github.com/google/go-cloud/pull/3307

I have tested it locally and can confirm that it fixes connexion to an AWS instance using rds-ca-ecc384-g1 CA.

The go tests pass, I have however not run the acceptance tests. This sounds like the kind of change for which we would want to run them before merging.

[pedrocarrico]

Hi @toadjaune , I'm having an error too after updating the CA authority in one of my RDS databases:

Error: error detecting capabilities: error PostgreSQL version: x509: certificate signed by unknown authority

I've started to have that error after migrating to the rds-ca-rsa2048-g1 CA authority. Reverting back to the rds-ca-2019 CA authority I no longer see these errors.

I've ran the script for importing certificates into my trust store and it successfully added it but seems like something is not working alongside this provider.

Could this be related to what you're reporting and the changes you're proposing in this pull request?

Thanks,

[pedrocarrico]

Also, I've tried to run with sslmode = "disabled" and I still got the same error.

What seems to work is to change from scheme = "awspostgres" to scheme = "postgres" which seems to indicate that the issue might indeed be in the usage of the gocloud package.

[toadjaune]

Hi @pedrocarrico !

Indeed, this is exactly what this PR fixes :)

To sum up :

• when using awspostgres scheme, the gocloud library internally manages TLS configuration
  • that's why it doesn't matter whether the CA is in your OS trust store
• in its current version, it uses an outdated certificate bundle, leading to errors when connecting on RDS instances using newer CA
• it does not seem possible to configure sslmode or sslrootcert to override this behavior at a configuration level
• the normal postgres scheme shoud indeed work, as it is meant to interact with arbitrary pg servers, it is therefore configurable, and I assume that it can look CAs up in the OS trust store

If you're authenticating with login/password, switching to the postgres scheme should be your easiest temporary workaround. It's however not an option if you rely on IAM database authentication (which is my case)

[toadjaune]

Also, I'm wondering : did you upgrade your CA because AWS sent you a warning email about future CA expiration ?

It seems they have started doing so, which means more and more people will start encountering this issue. Which in turn means we should probably not wait too long before merging this.

[pedrocarrico]

@toadjaune Yes I've received that same warning email.

Thanks for the clarification, it makes much more sense now. Indeed I don't (currently) rely on IAM authentication, but funny enough I was actually starting to consider it as I bumped into this issue.

Thank you so much once again

[cyrilgdn]

Released in v1.21.0