Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When scheme=awspostgres, sslmode is not respected, causing x509: certificate signed by unknown authority #343

Open
adkafka opened this issue Aug 31, 2023 · 5 comments
Open

When scheme=awspostgres, sslmode is not respected, causing x509: certificate signed by unknown authority #343

adkafka opened this issue Aug 31, 2023 · 5 comments

Comments

@adkafka
Copy link

adkafka commented Aug 31, 2023
edited
Loading

If we setup a provider as such:

provider "postgresql" {
  scheme    = "awspostgres"
  sslmode   = "require"
 ...
}

And connect to an RDS instance whose CA comes from rds-ca-ecc384-g1, we get an unexpected error:

│ Error: Error connecting to PostgreSQL server database-name.region.rds.amazonaws.com (scheme: awspostgres): tls: failed to verify certificate: x509: certificate signed by unknown authority

Based on sslmode = "require", I expect no certificate validation.

I believe the issue is here:

terraform-provider-postgresql/postgresql/config.go

Lines 205 to 210 in fea83f3

// sslmode and connect_timeout are not allowed with gocloud
// (TLS is provided by gocloud directly)
if c.Scheme == "postgres" {
params["sslmode"] = c.SSLMode
params["connect_timeout"] = strconv.Itoa(c.ConnectTimeoutSec)
}

We should change this to if c.Scheme == "postgres" || c.Scheme == "awspostgres"

I'm able to workaround this by just setting scheme=postgres.

Terraform Version

$ terraform -v
Terraform v1.5.2
on darwin_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.20.0
+ provider registry.terraform.io/hashicorp/aws v4.59.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.18.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/random v3.4.3

Affected Resource(s)

  • terraform-provider-postgresql (provider itself, not resources)

Terraform Configuration Files

See above snipped

Debug Output

N/A

Panic Output

N/A

Expected Behavior

We should be able to connect with above config to an RDS instance.

Actual Behavior

Error

Steps to Reproduce

Create RDS instance with issuing CA rds-ca-ecc384-g1 (I expect the same behavior for other new CAs too)
Try to connect to the provider using scheme = "awspostgres" and sslmode = "require"

Important Factoids

No

References

None
@dstebukov
Copy link

dstebukov commented Oct 17, 2023
edited
Loading

I've got this error trying to create DB in the AWS serverless v1 cluster, CA rds-ca-rsa2048-g1

  • provider registry.terraform.io/cyrilgdn/postgresql v1.21.0

@ghost
Copy link

ghost commented Oct 20, 2023

same error with scheme = "gcppostgres"

@pexa-afarrugia
Copy link

AWS given customers 12 months to migrate to the new CA. This is now a important issue that needs resolving

@grilla99
Copy link

Having a similar issue myself using rds-ca-rsa2048-g1 and scheme:awspostgres. Changing from awspostgres to postgres fixes it, what are the implications of this?

@romikoops
Copy link

romikoops commented Apr 2, 2024
edited
Loading

The problem has gone after upgrading to 1.22.0 from 1.20.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@romikoops @adkafka @grilla99 @pexa-afarrugia @dstebukov