Fail to connect to RDS instance in ca-central-1

[greedy52]

Description

What happened:

$ ./tsh db connect --db-user alice --db-name test steve-rds 
ERROR 1105 (HY000): x509: certificate signed by unknown authority

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
ca bundles have been updated by AWS. need to download the new ones. (the new bundles include the old cert + the new cert)

What you expected to happen:
connect should suceed

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

1. setup RDS instance (not aruora) and proper iam permissions
2. auto discover or static config for database agent
3. tsh db connect

Server Details

• Teleport version (run teleport version): 8
• Server OS (e.g. from /etc/os-release):
• Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware):
• Additional details:

Client Details

• Tsh version (tsh version): 8
• Computer OS (e.g. Linux, macOS, Windows):
• Browser version (for UI-related issues):
• Installed via (e.g. apt, yum, brew, website download):
• Additional details:

Debug Logs

[greedy52]

before the fix is released, there are a few workarounds

workaround #1

1. download the latest CA bundle from AWS
2. find where we are "caching" the pem files, ex /var/lib/teleport/rds-ca-2019-root.pem, and replace the content with the newer CAs

workaround #2 (for newer version teleport that supports tls section for "static" databases)

1. download the latest CA bundle from AWS
2. overwrite tls configs to new ca bundles, ex:

  databases:
  - name: "prod"
    protocol: "postgres"
    uri: "xxx.rds.amazonaws.com:5432"
    tls:
      ca_cert_file: /path/to/new_ca_bundle