Cannot Connect to AWS Database using TLS with Server CA Validation

aws rds ssl connection error
rds ssl certificate install
aws rds force ssl
tls database connection
ssl database connection
aws rds certification
rds combined ca us gov bundle pem
rds ssl port

AWS documentation states that to connect to my DocumentDB Cluster, I need to use a query string that ends like so ?ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0. It is a root certificate chain that my Client should validate. I should not need a Client Certificate.

Using the MongoDB C# driver and this specific query, with the .pem file in the same directory, I cannot establish the connection. If I use the same .pem file and query string from the Mongo Shell, I can correctly connect to my database. It only doesn't work from my .net core application, that also runs on AWS.

By removing TLS from the Cluster and removing the ssl_ca_certs option from the query, I can connect correctly to my Cluster.

I thought I could convert my .pem file to a .pfx using openssl, but I have to give the .pfx a password and MongoDB documentation states that

It is imperative that when loading a certificate with a password, the PrivateKey property not be null. If the property is null, it means that your certificate does not contain the private key and will not be passed to the server.

How can I use the .pem file provided by Amazon AWS to connect to my database using the C# MongoDB driver?

Try adding the RDS CA file into your C# trust store.

            X509Store store = new X509Store(StoreName.Root);
            X509Certificate2 ca = new X509Certificate2(<path_to_rds-combined-ca-bundle.pem>);
            try {
                store.Open(OpenFlags.ReadWrite);
                store.Add(ca);
            } catch (Exception ex) {
                Console.WriteLine("Root certificate import failed: " + ex.Message);
                throw;
            } finally {
                store.Close();
            }

Amazon RDS customers: Update your SSL/TLS certificates by March , Your database clients and applications that use SSL/TLS with certificate instance, or if your applications do not require server certificate validation, then that connect to RDS databases with the new published CA Certificates by March 5, 2020. The deadline cannot be extended beyond March 5, 2020. Most AWS SDKs and Command Line Interfaces (CLI's) support the Amazon Trust Services Certificate Authority. If you are using a version of the Python AWS SDK or CLI released before October 29, 2013, you must upgrade.

###Connection to Document DB with simple .Net console Application with SSL.

->First of all, enable SSL on your Document DB cluster by setting the parameter tls to 'enabled'. Make sure to reboot the writer node of your cluster to reboot the whole cluster in order to apply the parameter group changes. By default TLS is enabled wench you launch a new Doc DB cluster.

->Set up SSL certificate on your environment:

1)Download the PKCS#7 SSL certificate on your source windows machine from the below link:

https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.p7b

2)Click on Start menu, click Run and type mmc

3)In MMC, File->Add/Remove Snap-in.

4)Select Certificates from the list of snap-ins and click Add.

5)Trusted CA certificates should go in the Local Computer store, so choose the 'Computer Account' radio button, click next and then choose ‘Local Computer'. Click Next and then Finish.

6)Now from the left hand pane(under Console Root, you will see ‘Certificates’ option. Click on it.

7)A list will appear, right click on ‘Trusted Root Certification Authorities’ then choose All Tasks->Import

8)In the window that opens, click on Next, browse for the certificate (.p7b) file downloaded in Step 1(If you can’t find it, from the file type drop down, select All Files), and then Continue to click on Next and finally Finish. Then Save the configuration.

->Then wrote the below code:

---------------------------------------------------

using MongoDB.Bson;
using MongoDB.Driver;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;
namespace FirstDocDB
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var connectionString = "mongodb://pulkit:password@ClusterID:27017/?ssl=true&sslVerifyCertificate=true&replicaSet=rs0";
            var client = new MongoClient(connectionString);
            var database = client.GetDatabase("test");
            var collection = database.GetCollection("stuff");
            var document = collection.Find(new BsonDocument()).FirstOrDefault();
            Console.WriteLine(document.ToString());
        }
    }
}

---------------------------------------------------

->And after build and run, I was successfully able to get the document in the collection named "stuff" as output: { "_id" : ObjectId("5c5a63b10cf861158c1d241c"), "hello" : "world" }

Thus, After following the above steps, I was successfully able to connect to Document DB using Mongo driver for .Net.

Using SSL/TLS to Encrypt a Connection to a DB Instance, Transport Layer Security (TLS) from your application to encrypt a connection to a DB instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL. If you are unable to complete all three steps by March 5, 2020, which is the last date to update your certificates, your client or application may be unable to connect to your database instance using SSL or TLS. What steps do I need to take to complete my update? Completing the CA certificate rotations is a two-step process.

I had similar issue, had a ticket open with AWS and it was resolved with similar steps as Pulkit Agarwal's answer.

Main change was connection string, even after adding the certificate to local store i was still using the querystring as "?ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0" which needs to be changed to "?ssl=true&sslVerifyCertificate=true&replicaSet=rs0"

Updating Applications to Connect to MySQL DB Instances Using , to using SSL/TLS. In addition, when using SSL/TLS, they perform partial certificate verification and fail to connect if the database server certificate is expired. AWS’s Jeff Barr noted: “If you are taking advantage of SSL/TLS certificate validation when you connect to your database instances, you need to download & install a fresh certificate, rotate the

Here is another way. However I found that by using SSL with the C# Mongo Driver doesn't do connection Pooling and opened a new connection for each call. You can reduce the active connections by including MaxConnectionIdleTime but it's still not ideal if your application creates a lot of connections.

    var connectionString = "username:password@cluster_endpoint:27017/?replicaSet=rs0";
    var clientSettings = MongoClientSettings.FromUrl(new MongoUrl("mongodb://" + connectionString));
    var certificatePath = "ssl\rds-combined-ca-bundle.pem";

    var pem = System.IO.File.ReadAllText(AppDomain.CurrentDomain.BaseDirectory + certificatePath);
    byte[] certBuffer = GetBytesFromPEM(pem, "CERTIFICATE");

    clientSettings.UseSsl = true;
    clientSettings.SslSettings = new SslSettings()
    {
        ClientCertificates = new List<X509Certificate2>()
        {
            new X509Certificate2(certBuffer)
        },
        EnabledSslProtocols = System.Security.Authentication.SslProtocols.Default,
        CheckCertificateRevocation = true
        };

    clientSettings.VerifySslCertificate = true;

    clientSettings.SslSettings.ClientCertificateSelectionCallback = (sender, host, certificates, certificate, issuers) => clientSettings.SslSettings.ClientCertificates.ToList()[0];
    clientSettings.SslSettings.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;

    clientSettings.MaxConnectionIdleTime = new TimeSpan(0, 0, 30);

    _client = new MongoClient(clientSettings);
    _database = _client.GetDatabase(db.ToString());

Updating Applications to Connect to PostgreSQL DB Instances , As of September 19, 2019, Amazon RDS has published new Certificate Authority (CA) certificates for connecting to your RDS DB instances using Secure Socket� At least a two-level CA hierarchy is recommended, such as an intermediate Windows Certificate Authority that chains up to the Root CA created in this example. Issue a server certificate using the root CA. Follow these steps to issue a server certificate using the root CA. ACM generates the key pair and certificate using the CA you just created.

Here are examples on how to programmatically connect to Amazon DocumentDB with C# (and other drivers) with both TLS enabled/disabled.

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect.html

Resolve an ERROR 2026 SSL Connection Error When Connecting , To troubleshoot this error, first validate whether you're using the To learn how Amazon RDS supports SSL, see Using SSL with a [ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL. You can use Secure Socket Layer (SSL) or Transport Layer Security (TLS) from your application to encrypt a connection to a DB instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL. Each DB engine has its own process for implementing SSL/TLS.

Updating Applications to Connect to Microsoft SQL Server DB , to Microsoft SQL Server DB Instances Using New SSL/TLS Certificates. As of September 19, 2019, Amazon RDS has published new Certificate Authority (CA) � TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Microsoft has supported this protocol since Windows XP/Server 2003. While no longer the default security protocol in use by modern OSes, TLS 1.0 is still supported for backwards compatibility.

Update Your Amazon RDS SSL/TLS Certificates by , The default sslmode for PostgreSQL is prefer which means it will encrypt the connection with the certificate provided by the server but will not� I have an AWS DocumentDB Cluster using TLS. I want to connect to it from my .net core application in C#, using the C# MongoDB Driver.. The connection-string given by AWS includes this part ?ssl_ca_certs=rds-combined-ca-bundle.pem, which is the certificate chain given by Amazon.

Configure mongod and mongos for TLS/SSL — MongoDB Manual, Operational Restrictions � Troubleshoot Sharded Clusters � Config Database For instructions on upgrading a cluster currently not using TLS/SSL to using eavesdropping on the connection, there will be no validation of server identity. clients that cannot present a client certificate or are transitioning to using a certificate,� Here are observed performance times when connecting to an SSL/TLS server, depending on CPU frequency (80MHz or 160MHz): AWS IoT Connection, with EC Private Key, simple fingerprint validation: 0.7s at 160MHz; 1.3s at 80 MHz; AWS IoT Connection, with EC Private Key, full CA validation (easier to configure than fingerprints): 1.0s at 160MHz; 1.8s

Comments
  • If you’re already in AWS, you can omit your certificate, because it’s an internal call, don’t you?
  • ?ssl_ca_certs=/local/path/to/rds-combined-ca-bundle.pem perhaps? What's the error when it fails to connect?
  • @Nikolaus No, removing the ‘.pem’ from the query string dors not help.
  • @Michael-sqlbot I get a connexion TimeOut, cannot find the server. If I remove TLS, it works, so the database is "reachable" but cannot be found without the server certificate validation. Same goes from the mongo shell. Without adding the certificate, the call will TimeOut, and adding it will correctly connect to the database.
  • Thanks, I'll try it this week. But is there a reason I would need to send Client certificates when I don't technically need any, but should only need to validate the server's certificates (ssl_ca_certs)?
  • Edited the response. The older reference was for client side TLS. Just adding the RDS CA cert to your trust store should be sufficient