8000 AWS RDS SSL Certificates are not trusted · Issue #80484 · bitnami/containers · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

AWS RDS SSL Certificates are not trusted #80484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
selfsimilar opened this issue Apr 22, 2025 · 2 comments
Open

AWS RDS SSL Certificates are not trusted #80484

selfsimilar opened this issue Apr 22, 2025 · 2 comments
Assignees
@carrodher
Labels
tech-issues The user has a technical issue about an application triage Triage is needed wordpress

Comments

@selfsimilar
Copy link
selfsimilar commented Apr 22, 2025
edited by carrodher
Loading

Name and Version

bitnami/wordpress:6.8.2

What architecture are you using?

amd64

What steps will reproduce the bug?

When trying to get this image running in a Fargate (AWS managed ECS/Kubernetes) cluster, I can only connect to an RDS instance if I set MYSQL_CLIENT_ENABLE_SSL_WRAPPER=no. If I log in to a running container and try to manually run mysql -h app.abc123.us-east-1.rds.amazonaws.com -P 3306 -u username -p I get

ERROR 2026 (HY000): TLS/SSL error: Certificate verification failure: The certificate is NOT trusted.

My guess is that the root certificate store for this image doesn't include the three current RDS certificate authorities as roots:

  • rds-ca-rsa2048-g1 (expires May 25, 2061)
  • rds-ca-ecc384-g1 (expires May 25, 2121)
  • rds-ca-rsa4096-g1 (expires May 52, 2121)

What is the expected behavior?

You should be able to connect to the RDS instance without an SSL certificate error.

What do you see instead?

PHP logs are all I see in Cloudwatch, which just say "Could not connect to the database" without other details.
@selfsimilar selfsimilar added the tech-issues The user has a technical issue about an application label Apr 22, 2025
@github-actions github-actions bot added the triage Triage is needed label Apr 22, 2025
@carrodher
Copy link
Member

Hi, the issue may not be directly related to the Bitnami container image/Helm chart, but rather to how the application is being utilized, configured in your specific environment, or tied to a particular scenario that is not easy to reproduce on our side.

If you think that's not the case and would like to contribute a solution, we'd like to invite you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Please don't hesitate to contact us if you have any questions or need help.

Suppose you have questions about the application, customizing its content, or using technology and infrastructure. In that case, we strongly recommend that you consult the forums and user guides provided by the project responsible for the application or technology.

With that said, we'll keep this ticket open until the stale bot automatically closes it, in case someone from the community contributes valuable insights.

@selfsimilar
Copy link
Author

As I see it there are three primary issues:

  1. Logging is insufficiently verbose to identify this issue directly from logs
  2. Once the problem was identified, the documentation is not clear about which ENV var disables the Mariadb SSL connection (WORDPRESS_ENABLE_DATABASE_SSL vs WORDPRESS_VERIFY_DATABASE_SSL) or why one would want to keep SSL on to begin with when a well-architected and secure VPC should really have unencrypted traffic as a default for most services. Additionally, it looks like WORDPRESS_DATABASE_SSL_CA_FILE could import the AWS RDS CA file, but that would require manually adding the CA file to the EFS which is not easily done.
  3. As of April 2025 AWS is still the largest cloud provider so forcing SSL database connections but not having the proper certificates pre-baked seems like an oversight.

Based on this I'd say that documentation can be improved (2) and maybe adding a new ENV var WORDPRESS_DATABASE_SSL_CA_FILE_URL that would e.g. take a URL from this list like global-bundle.pem, download it and then set WORDPRESS_DATABASE_SSL_CA_FILE to the downloaded file location.

Also, it's worth thinking about whether the major cloud providers' CAs should be added to the base image, minideb:bookworm. I know it's meant to be a small image, but CA files are not that big.

I'm just thinking out loud here, but there's lots of options and it's not clear to me what the Bitnami community thinks is the best way forward, other than perhaps improving the documentation and ideally improving the logging output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carrodher carrodher

Labels
tech-issues The user has a technical issue about an application triage Triage is needed wordpress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@selfsimilar @carrodher
0