无法使用带有服务器CA验证的TLS连接到AWS数据库 [英] Cannot Connect to AWS Database using TLS with Server CA Validation
问题描述
AWS文档指出,要连接到我的DocumentDB集群,我需要使用一个以?ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0
结尾的查询字符串. 这是我的客户的根证书链应该验证.我不需要客户证书.>
使用MongoDB C#驱动程序和此特定查询,并将.pem
文件放在同一目录中,我无法建立连接.如果我使用相同的.pem
文件和Mongo Shell中的查询字符串,则可以正确连接到我的数据库.它仅对我的.net核心应用程序无效,该应用程序也可在AWS上运行.
通过从群集中删除TLS并从查询中删除ssl_ca_certs
选项,我可以正确连接到群集.
我以为可以使用openssl
将.pem
文件转换为.pfx
,但是我必须给.pfx
设置密码和
尝试将RDS CA文件添加到C#信任库中.
X509Store store = new X509Store(StoreName.Root);
X509Certificate2 ca = new X509Certificate2(<path_to_rds-combined-ca-bundle.pem>);
try {
store.Open(OpenFlags.ReadWrite);
store.Add(ca);
} catch (Exception ex) {
Console.WriteLine("Root certificate import failed: " + ex.Message);
throw;
} finally {
store.Close();
}
AWS documentation states that to connect to my DocumentDB Cluster, I need to use a query string that ends like so ?ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0
. It is a root certificate chain that my Client should validate. I should not need a Client Certificate.
Using the MongoDB C# driver and this specific query, with the .pem
file in the same directory, I cannot establish the connection. If I use the same .pem
file and query string from the Mongo Shell, I can correctly connect to my database. It only doesn't work from my .net core application, that also runs on AWS.
By removing TLS from the Cluster and removing the ssl_ca_certs
option from the query, I can connect correctly to my Cluster.
I thought I could convert my .pem
file to a .pfx
using openssl
, but I have to give the .pfx
a password and MongoDB documentation states that
It is imperative that when loading a certificate with a password, the PrivateKey property not be null. If the property is null, it means that your certificate does not contain the private key and will not be passed to the server.
How can I use the .pem
file provided by Amazon AWS to connect to my database using the C# MongoDB driver?
Try adding the RDS CA file into your C# trust store.
X509Store store = new X509Store(StoreName.Root);
X509Certificate2 ca = new X509Certificate2(<path_to_rds-combined-ca-bundle.pem>);
try {
store.Open(OpenFlags.ReadWrite);
store.Add(ca);
} catch (Exception ex) {
Console.WriteLine("Root certificate import failed: " + ex.Message);
throw;
} finally {
store.Close();
}
这篇关于无法使用带有服务器CA验证的TLS连接到AWS数据库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!