Closed toadjaune closed 10 months ago
Hi @toadjaune , I'm having an error too after updating the CA authority in one of my RDS databases:
Error: error detecting capabilities: error PostgreSQL version: x509: certificate signed by unknown authority
I've started to have that error after migrating to the rds-ca-rsa2048-g1
CA authority.
Reverting back to the rds-ca-2019
CA authority I no longer see these errors.
I've ran the script for importing certificates into my trust store and it successfully added it but seems like something is not working alongside this provider.
Could this be related to what you're reporting and the changes you're proposing in this pull request?
Thanks,
Also, I've tried to run with sslmode = "disabled"
and I still got the same error.
What seems to work is to change from scheme = "awspostgres"
to scheme = "postgres"
which seems to indicate that the issue might indeed be in the usage of the gocloud package.
Hi @pedrocarrico !
Indeed, this is exactly what this PR fixes :)
To sum up :
awspostgres
scheme, the gocloud library internally manages TLS configuration
sslmode
or sslrootcert
to override this behavior at a configuration levelpostgres
scheme shoud indeed work, as it is meant to interact with arbitrary pg servers, it is therefore configurable, and I assume that it can look CAs up in the OS trust storeIf you're authenticating with login/password, switching to the postgres
scheme should be your easiest temporary workaround.
It's however not an option if you rely on IAM database authentication (which is my case)
Also, I'm wondering : did you upgrade your CA because AWS sent you a warning email about future CA expiration ?
It seems they have started doing so, which means more and more people will start encountering this issue. Which in turn means we should probably not wait too long before merging this.
@toadjaune Yes I've received that same warning email.
Thanks for the clarification, it makes much more sense now. Indeed I don't (currently) rely on IAM authentication, but funny enough I was actually starting to consider it as I bumped into this issue.
Thank you so much once again
Bump
gocloud
library dependency to include fixes from https://github.com/google/go-cloud/pull/3307I have tested it locally and can confirm that it fixes connexion to an AWS instance using
rds-ca-ecc384-g1
CA.The go tests pass, I have however not run the acceptance tests. This sounds like the kind of change for which we would want to run them before merging.