TLS certificate verification error on AWS RDS

Recently, when upgrading the Docker base image for a Ruby on Rails app, the app suddenly started raising SSL error: certificate verify failed exceptions when attempting to connect to Postgres. Unfortunately, the error message doesn’t describe why verification failed.

The base image was being upgraded from Debian 9 (Stretch) to Debian 10 (Buster). The Postgres 11 instance (which started life on 9.x, so it’s older) is hosted by AWS RDS and configured to require TLS connections.

It turns out that AWS RDS only supports TLS 1.0. However, Debian 10’s openssl config defaults to requiring TLS 1.2+. The result is the certificate verification error above.

The quick fix is to modify /etc/ssl/openssl.cnf (as this is what changed between Debian 9 and 10) to allow TLS 1.0. Near the bottom of the file, change

1MinProtocol = TLSv1.2


1MinProtocol = TLSv1.0

Or, run this simple one liner:

1sed -i -e 's/TLSv1.2/TLSv1.0/' /etc/ssl/openssl.cnf

The better fix is to upgrade/replace the Postgres server to support TLS 1.2+ since TLS 1.0 and 1.1 are being deprecated.


mail.app and smtp

apple’s mail.app works fairly well. that is, until something goes wrong. i know—stating the obvious. but hang with me for a moment. if you’re sending outbound email over ssl and/or with authentication, things get messy quickly. for reasons unknown to me, apple hasn’t seen fit to provide any debugging information at all. nothing lands in the console log and certainly no description of the error is presented to you, the willing email sender. instead you receive a terse message: ‘Cannot send message using the server ’. yay; super helpful.

i’ve done some digging with the help of the mail server itself, so perhaps if you’re getting this less than descriptive error, there is hope.