解决连接 RDS 出现 PKIX path building failed 错误

最新推荐文章于 2024-08-09 09:30:00 发布

hzgaoshichao

最新推荐文章于 2024-08-09 09:30:00 发布

阅读量8

点赞数

分类专栏：其它文章标签： java postgresql aws

原文链接：https://www.gscblog.com/archives/fix-pxix-path-building-failed

版权

其它专栏收录该内容

8 篇文章 0 订阅

订阅专栏

原文链接: 解决连接 RDS 出现 PKIX path building failed 错误

问题

当 AWS RDS 跟新证书时(将 rds-ca-2019 跟新为 rds-ca-rsa2048-g1), JDBC 链接 PostgreSQL 数据库时, 出现 PKIX path building failed.

org.postgresql.util.PSQLException: SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:)

连接字符串,使用的是 sslmode=verify-full

jdbc:postgresql://xxxxxxxxxxxxxxxxxxxxxxx:5432/db_name_xxxx?sslmode=verify-full

将 rds-ca-2019 跟新为 rds-ca-rsa2048-g1
在这里插入图片描述

分析解决

根据官方文档, 由于 RDS 位于 eu-central-1, 找到如下下载链接

在这里插入图片描述

接着使用下面的命令将其转换为 crt 文件

openssl x509 -outform der -in eu-central-1-bundle.pem -out ~/.postgresql/root.crt

但是, 仍然没有解决问题

使用 openssl x509 -in root.crt -noout -text 查看刚刚生成的证书, 如下:
发现证书的 CN = Amazon RDS Root 2019 CA, 这个证书更像是 rds-ca-2019 的证书而不是 rds-ca-rsa2048-g1 的证书.

openssl x509 -in root.crt -noout -text

在这里插入图片描述

我们查看一下原来下载的证书捆绑包中所包含的内容

keytool -printcert -v -file eu-central-1-bundle.pem

如下所示, 这个捆绑包中总共有5 个证书, 其中第四个证书的 CN=Amazon RDS eu-central-1 Root CA RSA2048 G1 才是我们所需要的 rds-ca-rsa2048-g1 的证书.

Certificate[1]:
Owner: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: c73467369250ae75
Valid from: Fri Aug 23 01:08:50 CST 2019 until: Fri Aug 23 01:08:50 CST 2024
Certificate fingerprints:
         SHA1: D4:0D:DB:29:E3:75:0D:FF:A6:71:C3:14:0B:BF:5F:47:8D:1C:80:96
         SHA256: F2:54:C7:D5:E9:23:B5:B7:51:0C:D7:9E:F7:77:7C:1C:A7:E6:4A:3C:97:22:E4:0D:64:54:78:FC:70:AA:D0:08
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key


Certificate[2]:
Owner: CN=Amazon RDS eu-central-1 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: 5766
Valid from: Thu Sep 12 03:36:20 CST 2019 until: Fri Aug 23 01:08:50 CST 2024
Certificate fingerprints:
         SHA1: 53:46:18:4A:42:65:A2:8C:5F:5B:0A:AD:E2:2C:80:E5:E6:8A:6D:2F
         SHA256: 0A:7D:2F:10:8E:F8:FA:AE:86:CF:9A:55:3D:B0:95:B6:52:35:B9:A3:94:D0:18:99:C1:A6:4F:85:8E:10:80:95
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key


Certificate[3]:
Owner: L=Seattle, CN=Amazon RDS eu-central-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS eu-central-1 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 7a741b70ffd96e3f49c6f67e8d76d19d
Valid from: Sat May 22 06:33:24 CST 2021 until: Thu May 22 07:33:24 CST 2121
Certificate fingerprints:
         SHA1: D2:EB:0B:A8:7C:0B:45:9C:89:BA:A4:62:C1:5C:BF:58:E2:67:98:DC
         SHA256: AE:69:7D:08:2E:E1:86:2F:71:1E:CA:E3:89:3C:3C:61:3B:73:15:D0:20:F7:46:74:05:15:34:A5:B1:66:D4:7B
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key


Certificate[4]:
Owner: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: ef1b7a437bad445eb8d3c6f294932ad1
Valid from: Sat May 22 06:23:47 CST 2021 until: Sun May 22 07:23:47 CST 2061
Certificate fingerprints:
         SHA1: 94:E6:F1:A2:7C:F2:30:F8:69:EC:32:B4:61:1C:A1:0A:82:80:AD:05
         SHA256: 3D:8B:08:A7:39:0C:9B:10:D1:90:A6:B3:49:D7:03:AE:00:BA:E4:65:83:64:33:19:C7:FA:CC:F3:E5:DC:4A:8B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key


Certificate[5]:
Owner: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA4096 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS eu-central-1 Root CA RSA4096 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 3380bc83988546e71259d0bc11da8778
Valid from: Sat May 22 06:28:26 CST 2021 until: Thu May 22 07:28:26 CST 2121
Certificate fingerprints:
         SHA1: D6:87:8C:CE:33:C9:63:C3:D2:5B:FD:75:BE:DE:E0:46:15:87:A8:DF
         SHA256: 31:11:F3:22:E4:48:C2:6E:A2:72:2C:02:E2:97:14:DA:CE:16:D5:C3:93:36:CD:F6:DF:BF:FB:C0:36:8D:53:32
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key

当我们转换 .pem 捆绑包 (bundle) 时, 仅仅只转换了第一个证书, 所以第一次转换的只是第一个证书, 所以会失败.
在这里插入图片描述

接下来我们可以使用下面的命令来将捆绑包中的5个证书分别提取出来.

awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < eu-central-1-bundle.pem

在这里插入图片描述

确认第四个证书是否是我们所需要的证书

keytool -printcert -v -file cert.4.pem

在这里插入图片描述

使用第四个证书 cert.4.pem 来重新生成 crt 文件

openssl x509 -outform der -in cert.4.pem -out ~/.postgresql/root.crt

再次确认生成的证书信息

openssl x509 -in ~/.postgresql/root.crt -noout -text

在这里插入图片描述

这样问题就解决了!

补充

证书属性:

CN: CommonName
OU: OrganizationalUnit
O: Organization
L: Locality
S/ST: StateOrProvinceName
C: CountryName

hzgaoshichao

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
解决连接 RDS 出现 PKIX path building failed 错误

当 AWS RDS 跟新证书时(将 rds-ca-2019 跟新为 rds-ca-rsa2048-g1), JDBC 链接 PostgreSQL 数据库时, 出现 PKIX path building failed.
复制链接

扫一扫

专栏目录