无法使用带有服务器CA验证的TLS连接到AWS数据库 [英] Cannot Connect to AWS Database using TLS with Server CA Validation

问题描述

AWS文档指出，要连接到我的DocumentDB集群，我需要使用一个以?ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0结尾的查询字符串. 这是我的客户的根证书链应该验证.我不需要客户证书.

使用MongoDB C#驱动程序和此特定查询，并将.pem文件放在同一目录中，我无法建立连接.如果我使用相同的.pem文件和Mongo Shell中的查询字符串，则可以正确连接到我的数据库.它仅对我的.net核心应用程序无效，该应用程序也可在AWS上运行.

通过从群集中删除TLS并从查询中删除ssl_ca_certs选项，我可以正确连接到群集.

我以为可以使用openssl将.pem文件转换为.pfx，但是我必须给.pfx设置密码和 由Amazon AWS提供的文件，以使用C#MongoDB驱动程序连接到我的数据库?

解决方案

尝试将RDS CA文件添加到C#信任库中.

             X509Store store = new X509Store(StoreName.Root);
            X509Certificate2 ca = new X509Certificate2(<path_to_rds-combined-ca-bundle.pem>);
            try {
                store.Open(OpenFlags.ReadWrite);
                store.Add(ca);
            } catch (Exception ex) {
                Console.WriteLine("Root certificate import failed: " + ex.Message);
                throw;
            } finally {
                store.Close();
            }
 

AWS documentation states that to connect to my DocumentDB Cluster, I need to use a query string that ends like so ?ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0. It is a root certificate chain that my Client should validate. I should not need a Client Certificate.

Using the MongoDB C# driver and this specific query, with the .pem file in the same directory, I cannot establish the connection. If I use the same .pem file and query string from the Mongo Shell, I can correctly connect to my database. It only doesn't work from my .net core application, that also runs on AWS.

By removing TLS from the Cluster and removing the ssl_ca_certs option from the query, I can connect correctly to my Cluster.

I thought I could convert my .pem file to a .pfx using openssl, but I have to give the .pfx a password and MongoDB documentation states that

It is imperative that when loading a certificate with a password, the PrivateKey property not be null. If the property is null, it means that your certificate does not contain the private key and will not be passed to the server.

How can I use the .pem file provided by Amazon AWS to connect to my database using the C# MongoDB driver?

解决方案

Try adding the RDS CA file into your C# trust store.

            X509Store store = new X509Store(StoreName.Root);
            X509Certificate2 ca = new X509Certificate2(<path_to_rds-combined-ca-bundle.pem>);
            try {
                store.Open(OpenFlags.ReadWrite);
                store.Add(ca);
            } catch (Exception ex) {
                Console.WriteLine("Root certificate import failed: " + ex.Message);
                throw;
            } finally {
                store.Close();
            }

这篇关于无法使用带有服务器CA验证的TLS连接到AWS数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！