问题
当 AWS RDS 跟新证书时(将 rds-ca-2019 跟新为 rds-ca-rsa2048-g1), JDBC 链接 PostgreSQL 数据库时, 出现 PKIX path building failed.
org.postgresql.util.PSQLException: SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:)
连接字符串,使用的是 sslmode=verify-full
jdbc:postgresql://<host_url_or_ip>:<port>/<db_name>?currentSchema=<schema_name>&sslmode=verify-full
将 rds-ca-2019 跟新为 rds-ca-rsa2048-g1
分析解决
根据官方文档, 由于 RDS 位于 eu-central-1, 找到如下下载链接
接着使用下面的命令将其转换为 crt 文件
openssl x509 -outform der -in eu-central-1-bundle.pem -out ~/.postgresql/root.crt
但是, 仍然没有解决问题
使用 openssl x509 -in root.crt -noout -text
查看刚刚生成的证书, 如下:
发现证书的 CN = Amazon RDS Root 2019 CA
, 这个证书更像是 rds-ca-2019 的证书而不是 rds-ca-rsa2048-g1 的证书.
openssl x509 -in root.crt -noout -text
我们查看一下原来下载的证书捆绑包中所包含的内容
keytool -printcert -v -file eu-central-1-bundle.pem
如下所示, 这个捆绑包中总共有5 个证书, 其中第四个证书的 CN=Amazon RDS eu-central-1 Root CA RSA2048 G1
才是我们所需要的 rds-ca-rsa2048-g1
的证书.
Certificate[1]:
Owner: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: c73467369250ae75
Valid from: Fri Aug 23 01:08:50 CST 2019 until: Fri Aug 23 01:08:50 CST 2024
Certificate fingerprints:
SHA1: D4:0D:DB:29:E3:75:0D:FF:A6:71:C3:14:0B:BF:5F:47:8D:1C:80:96
SHA256: F2:54:C7:D5:E9:23:B5:B7:51:0C:D7:9E:F7:77:7C:1C:A7:E6:4A:3C:97:22:E4:0D:64:54:78:FC:70:AA:D0:08
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Certificate[2]:
Owner: CN=Amazon RDS eu-central-1 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: 5766
Valid from: Thu Sep 12 03:36:20 CST 2019 until: Fri Aug 23 01:08:50 CST 2024
Certificate fingerprints:
SHA1: 53:46:18:4A:42:65:A2:8C:5F:5B:0A:AD:E2:2C:80:E5:E6:8A:6D:2F
SHA256: 0A:7D:2F:10:8E:F8:FA:AE:86:CF:9A:55:3D:B0:95:B6:52:35:B9:A3:94:D0:18:99:C1:A6:4F:85:8E:10:80:95
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Certificate[3]:
Owner: L=Seattle, CN=Amazon RDS eu-central-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS eu-central-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 7a741b70ffd96e3f49c6f67e8d76d19d
Valid from: Sat May 22 06:33:24 CST 2021 until: Thu May 22 07:33:24 CST 2121
Certificate fingerprints:
SHA1: D2:EB:0B:A8:7C:0B:45:9C:89:BA:A4:62:C1:5C:BF:58:E2:67:98:DC
SHA256: AE:69:7D:08:2E:E1:86:2F:71:1E:CA:E3:89:3C:3C:61:3B:73:15:D0:20:F7:46:74:05:15:34:A5:B1:66:D4:7B
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Certificate[4]:
Owner: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: ef1b7a437bad445eb8d3c6f294932ad1
Valid from: Sat May 22 06:23:47 CST 2021 until: Sun May 22 07:23:47 CST 2061
Certificate fingerprints:
SHA1: 94:E6:F1:A2:7C:F2:30:F8:69:EC:32:B4:61:1C:A1:0A:82:80:AD:05
SHA256: 3D:8B:08:A7:39:0C:9B:10:D1:90:A6:B3:49:D7:03:AE:00:BA:E4:65:83:64:33:19:C7:FA:CC:F3:E5:DC:4A:8B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Certificate[5]:
Owner: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA4096 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA4096 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 3380bc83988546e71259d0bc11da8778
Valid from: Sat May 22 06:28:26 CST 2021 until: Thu May 22 07:28:26 CST 2121
Certificate fingerprints:
SHA1: D6:87:8C:CE:33:C9:63:C3:D2:5B:FD:75:BE:DE:E0:46:15:87:A8:DF
SHA256: 31:11:F3:22:E4:48:C2:6E:A2:72:2C:02:E2:97:14:DA:CE:16:D5:C3:93:36:CD:F6:DF:BF:FB:C0:36:8D:53:32
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
当我们转换 .pem 捆绑包 (bundle) 时, 仅仅只转换了第一个证书, 所以第一次转换的只是第一个证书, 所以会失败.
接下来我们可以使用下面的命令来将捆绑包中的5个证书分别提取出来.
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < eu-central-1-bundle.pem
确认第四个证书是否是我们所需要的证书
keytool -printcert -v -file cert.4.pem
使用第四个证书 cert.4.pem 来重新生成 crt 文件
openssl x509 -outform der -in cert.4.pem -out ~/.postgresql/root.crt
再次确认生成的证书信息
openssl x509 -in ~/.postgresql/root.crt -noout -text
这样问题就解决了!
补充
证书属性:
- CN: CommonName
- OU: OrganizationalUnit
- O: Organization
- L: Locality
- S/ST: StateOrProvinceName
- C: CountryName
参考文档
Certificate verification: https://www.postgresql.org/docs/9.0/libpq-ssl.html
评论区