I'm trying to set up a local pgbouncer server that then connects using SSL to Amazon's PostgreSQL RDS service. According to pgbouncer's documentation, you need to use something like stunnel to connect.
I'm having a heck of a time getting stunnel configured. I can see it is accepting connections on the client side, however it is rejecting the connection to the RDS instance:
SSL alert (read): fatal: unknown CA
Perhaps the part I'm getting wrong is pointing CAFile to the "rds-ssl-ca-cert.pem" certificate Amazon supplies. It does appear to be loading it:
Loaded verify certificates from rds-ssl-ca-cert.pem Loaded rds-ssl-ca-cert.pem revocation lookup file
When connecting I see:
2013.11.26 10:47:09 LOG7[3552:4032]: Starting certificate verification: depth=1, /C=US/ST=Washington/L=Seattle/O=Amazon.com/OU=RDS/CN=aws.amazon.com/rds/
2013.11.26 10:47:09 LOG5[3552:4032]: Certificate accepted: depth=1, /C=US/ST=Washington/L=Seattle/O=Amazon.com/OU=RDS/CN=aws.amazon.com/rds/
2013.11.26 10:47:09 LOG7[3552:4032]: Starting certificate verification: depth=0, /CN=aws.amazon.com/rds//OU=RDS/O=Amazon.com/L=Seattle/ST=Washington/C=US
2013.11.26 10:47:09 LOG5[3552:4032]: Certificate accepted: depth=0, /CN=aws.amazon.com/rds//OU=RDS/O=Amazon.com/L=Seattle/ST=Washington/C=US
Is it actually Amazon's RDS rejecting my certificate?