search

ottertune / ot-agent

OtterTune Agent - metric collector for external databases
https://docs.ottertune.com/
Apache License 2.0
69 stars 21 forks source link

Support AWS RDS cert encrypted connection #90

Open chenrui333 opened 1 year ago

chenrui333 commented 1 year ago

Currently, it looks like there is no way to override the default openssl cert for the encrypted RDS connection.

chenrui333 commented 1 year ago

Tried something like this, but does not quite work

 RUN   apt-get clean \
    && apt-get update \
-   && apt-get install -yq gcc musl-dev python3-dev libpq-dev g++
+   && apt-get install -yq gcc musl-dev python3-dev libpq-dev g++ curl
 RUN cp /usr/lib/ssl/openssl.cnf /usr/lib/ssl/openssl_cipher1.cnf && \
     sed -i "s/\(CipherString *= *\).*/\1DEFAULT@SECLEVEL=1 /" "/usr/lib/ssl/openssl_cipher1.cnf" && \
     sed -i "s/\(MinProtocol *= *\).*/\1TLSv1 /" "/usr/lib/ssl/openssl_cipher1.cnf"

+# Fetch Amazon RDS certificate chain
+RUN curl https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem -o /usr/local/share/amazon-certs.pem
+RUN echo "d464378fbb8b981d2b28a1deafffd0113554e6adfb34535134f411bf3c689e73 /usr/local/share/amazon-certs.pem" | sha256sum -c -
+
+ENV AWS_CA_BUNDLE /usr/local/share/amazon-certs.pem

Got error as below:

  File "/usr/local/lib/python3.9/site-packages/botocore/httpsession.py", line 335, in send
    raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://rds.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)