Unable to import certificate for AWS Data Migration Service

Question

We want to replicate our on-site MySQL database to AWS. Needless to say we need a secure connection, and setting that up has proven to be surprisingly difficult. The AWS Data Migration Service looked like the right thing, and it has the option to import a certificate.

After trial and error I discovered that AWS needed the .pem extension to even try to upload the file. According to the documentation, it expects a chained certificate file, which I have. But I get a validation error every time, with absolutely no helpful details as to what is wrong. I ensured that my private key is only 2048 bits long, as AWS seems to have trouble with larger ones. I have run the certificate through various online tools and they say it is OK. It seems that the first part of the certificate is the problem, Data Migration is happy to import the second part all by itself. Also worth noting, AWS Certificate Manager was willing to take the entire thing (though there it forces you to split the file). The certificate was generated by Let's Encrypt/Zero SSL with my CSR. I have confirmed there are no extra whitespaces in uploading the file.

-----BEGIN CERTIFICATE-----
MIIFBTCCA+2gAwIBAgISA9w/KQIPfQ7G1qbtWy6eruVwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMTUxMjU2MzZaFw0x
ODAxMTMxMjU2MzZaMBwxGjAYBgNVBAMTEWVxLnNlbnRyeWxpbmsuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4GXdQB1u967ZpUuSpaBpzVWFsIXk
YYvDVbX+1DoygaIhqAAoL+s8RgZf8jz49tbFlBc06eXhDH9qL47ZcdLUahY3TY0G
Aksl1uUpxivt7Am3WvzoeTuCO8vhObVNpVLLcyKQ7H543jswLehhSgcPKiSF3ffw
qHJMst4bw4bmzHeTp6ZX83xek8YbXE48PUktpE4sGxwHbQVTuWLDCmMJZr/Pwz6i
fpbkxoUhv4jzlwsAtyPmRIa/XTYhGhnRuPD5m1ZX2LkAuKCH4crYuXPp+F+lMc1R
K0DGoQYk0QjP2nuLmqmJPByHRaTBMb+UwvJn1Ady7qyyS+3nIzG87fzvmwIDAQAB
o4ICETCCAg0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQFXP07WkX+3XSghpNPYr0W
3Q6LBjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBwGA1UdEQQVMBOCEWVxLnNlbnRyeWxpbmsuY29tMIH+BgNVHSAEgfYw
gfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0
cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBD
ZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBh
cnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0
ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3Np
dG9yeS8wDQYJKoZIhvcNAQELBQADggEBAFxM5i3VlCpyrK0/Dnw5vtkV5TG+o/fJ
TG8elTQD8NDEuuZUee0u0jdcvP3CSGkRJo7tF1lBih8ns7Dhu2wxouM9r+3nP+7F
CYRF1BRAzj6gsTPpHX1XOv98Nq+s8NXQNFe+WxPlYtUQ4ZoJ+gVcNpm8zQY1GaMA
vb6osuru0WoOA3YeNiuRUSvMFnUMt0hO9DuknUdbbr/i9OphOz6xiWCLFPUtNNos
79yoanGZs9Kt40Ou4yhW1gZLHJfp461r0bzoh848f3+R2fwVaBUGBEYLxPNBCu7U
CK0Iualw5hRhh6620f79Lv2Z2FNrPq5kMIySaLpDWgaj5pQjXAjAVXM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

UPDATE: The answer, which was to focus on the intermediate certificate, is correct. Using just the intermediate was enough to get a data load completed. However, to get data load with continuing replication, you will indeed have to add in the root certificate from your certificate authority as well. Convert it to PEM format and add that to the end of the intermediate bundle, and give the resulting file to AWS.

Answer 1

Data Migration is happy to import the second part all by itself.

The second part is what DMS needs, not the first.

To assign a certificate to an endpoint, you provide the root certificate or the chain of intermediate CA certificates leading up to the root (as a certificate bundle), that was used to sign the server SSL certificate that is deployed on your endpoint.

https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.SSL.html#CHAP_Security.SSL.Limitations

DMS wants to be able to validate the cert on your endpoint, so it only wants the cert of the authority that signed it -- and apparently not the actual endpoint cert itself.

The "validation failed" is probably related to the fact that your first cert is your endpoint cert, which is not a CA cert.

If you check your certs with openssl x509 you note that the first file isn't a CA file...

        X509v3 Basic Constraints: critical
            CA:FALSE

...but the second one is.

        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0

I suspect that is all you need.

However, what you have here is an intermediate. If you want to build the full chain, then you need to append the root. According to Let's Encrypt, their Intermediate CA that signed your cert was in turned signed by IdenTrust DST Root CA X3.

This checks -- confirmed out by comparing the Authority Key Identifier of Let's Encrypt Authority X3 to the Subject Key Identifier of DST Root CA X3 (again, using openssl x509).

So, remove your first cert, and upload only the second.

If this isn't sufficient, add the body of the IdentTrust DST Root CA X3 certificate to the end of your file. It's at the URL linked above, and also pasted below:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----