I am running a self-hosting n8n environment on ECS, with AWS RDS Postgres as the backend database. I have encountered some issue setting this up, after trying solutions discussed in these two posts, and some more testing, I have found a solution for my case, hence sharing it here.
Relevant posts:
- AWS Postgres with n8n: unable to get local issuer certificate
- Postgresql SSL connection with custom certificates
- Docs For Self Signed Certificate Setup Missing Some Detail
My issue and corresponding solutions progressively:
- n8n cannot connect to RDS - download the AWS RDS certificate and use it here
- each certificate file can only contain one certificate - split it
- n8n still cannot use the certificate - use the solution in post 2 (default docker entry script) to allow Node.js to use our custom certificate
- n8n now can connect to RDS with SSL, but cannot connect to other API with SSL , showing unable to get local issuer certificate - This is because Node.js now only uses our custom certificate, but not the others. See my solution below to allow both.
My solution:
mkdir -p ${PROJECT_ROOT}/custom-certificates
curl -o ${PROJECT_ROOT}/custom-certificates/<change to your AWS region>-bundle.pem https://truststore.pki.rds.amazonaws.com/<change to your AWS region>/<change to your AWS region>-bundle.pem
awk '
BEGIN {c=0;}
/-----BEGIN CERTIFICATE-----/ {
if (out) close(out);
# Prepend the desired output directory to the filename
out = "/app/custom-certificates/rds-split-ca-" sprintf("%02d", ++c) ".pem";
}
out { print > out }
/-----END CERTIFICATE-----/ {
if (out) close(out);
out = ""; # Reset out to prevent issues
}
' ${PROJECT_ROOT}/custom-certificates/<change to your AWS region>-bundle.pem
# Allowing custom signed certificate for n8n to RDS connection
# AND ensuring system CAs are still trusted for other HTTPS calls.
CUSTOM_CA_BUNDLE_PATH="${PROJECT_ROOT}/custom-certificates/<change to your AWS region>-bundle.pem"
if [ -f "$CUSTOM_CA_BUNDLE_PATH" ]; then
echo "Adding custom RDS CA certificate bundle ($CUSTOM_CA_BUNDLE_PATH) to Node.js trust store via NODE_EXTRA_CA_CERTS."
export NODE_EXTRA_CA_CERTS="$CUSTOM_CA_BUNDLE_PATH"
# The previous method using NODE_OPTIONS="--use-openssl-ca" and SSL_CERT_DIR
# was replaced because it could prevent Node.js from trusting default system CAs,
# leading to "unable to get local issuer certificate" for other APIs.
# NODE_EXTRA_CA_CERTS augments the default CAs instead of replacing them.
# The awk script above still splits the bundle, which is harmless and might be
# useful if other tools expect individual certificate files in that directory,
# but it's not strictly needed for NODE_EXTRA_CA_CERTS.
# c_rehash and SSL_CERT_DIR are no longer set here for Node.js CA purposes.
else
echo "Warning: Custom CA bundle $CUSTOM_CA_BUNDLE_PATH not found. RDS connection might fail."
fi
Information on your n8n setup
- n8n version: 1.91.3
- Database (default: SQLite): AWS RDS Postgresql
- n8n EXECUTIONS_PROCESS setting (default: own, main):
- Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
- Operating system: Ubuntu