-
-
Notifications
You must be signed in to change notification settings - Fork 618
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HANDSHAKE_SSL_ERROR with RDS and 3.9.3+ #2581
Comments
a bit more info, we are using the AWS RDS Proxy service between the lambda and RDS and our connection options passed to createConnection are
|
Thanks, @mattmbrightside. That clarifies things 🙋🏻♂️ Unfortunately, even with a RDS in hand, I wouldn't be able to reproduce this error, since it will be created with one of the new certificates. @sidorares, I think it's important to move this responsibility to a separate dependency soon for more flexibility. Users will soon be alerted to update to version ^3.9.4. I thought of these possibilities:
B) Just combine all the certificates into a larger file until we think about a major release (this option is independent of a new dependency). |
I would love to help reproduce this error (and create a PR with a fix), but I seem to be having some difficulty doing so. Amazon RDS Config is
This works fine and I'm able to query the database through mysql2. Anything else you'd like me to check? Could be related to the proxy. |
@wellwelwel I created https://github.com/mysqljs/aws-ssl-profiles and added you as a maintainer Intended use when it's ready would be something along the lines import awsCaBundle from 'aws-ssl-profiles';
const connection = mysql.createConnection({
//...
ssl: awsCaBundle
})l |
If only RDS would have just used public certificates like Azure 🤦♂️ |
Really thanks, @jeffrey-mutual 🤝 When looking into 675dd04, it's possible to see that not all old certificates have been changed, which would explain why only some servers return the authentication error. |
I guess I got lucky then. Both of my databases work on 3.9.4. Without a repro I probably won't work on the PR since I wouldn't easily be able to validate the fix. |
We have the same issue, we also use RDS Proxy. I found the following information from AWS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.howitworks.html#rds-proxy-security.tls: When using a client with --ssl-mode VERIFY_CA or VERIFY_IDENTITY, specify the --ssl-ca option pointing to a CA in .pem format. For the .pem file to use, download all root CA PEMs from Amazon Trust Services and place them into a single .pem file. https://www.amazontrust.com/repository/ has 5 root CA's, I am going to add them manually to our setup and see if that resolves the problem. |
Well, that actually did the trick. So there you have it. When you connect to RDS through RDS Proxy, you need the Amazon Root CA's which you can find on the website I posted in the comment above. |
I can also confirm that adding those certs to the certificate chain fixes the issues for me, using RDS Proxy. Maybe they can just be added to the chain in this repo while the certificates package isn't done yet? |
Same problem with Azure when using Nextjs 14
|
Hi, we have run into the same issue in our team, and we have been able to solve it without directly including the CA certificate. We have two RDS databases, one for our staging environment and one for production (both use
Right now I think this can be a little confusing for anyone intending to use RDS proxy with TLS, because there are no instructions in the documentation for setting a successful connection. Another alternative, as @pedrovanzella said, would be to include these CA certificates to both |
Hi, @MarioRomanDono 🙋🏻♂️ The In theory, the issue would be fixed by adding the AWS Proxy certificates to the existing ones in aws-ssl-profiles, then import it to MySQL2.
Currently the test suite is breaking on some tests after MySQL Server |
using mysql2 with AWS nodejs lambdas and AWS RDS.
As of March 2024, our RDS instance was still on the 2019 certificate bundle. Versions of mysql2 <3.9.3 were working fine with calls to createConnection. We updated a project to 3.9.3 and started getting these errors:
{"errorType":"Error","errorMessage":"unable to get local issuer certificate","code":"HANDSHAKE_SSL_ERROR","message":"unable to get local issuer certificate","stack":["Error: unable to get local issuer certificate"," at fn (/private/var/folders/48/8n9w9qzn17s1gpq7tjs3cnv40000gp/T/tmplakzpggq/node_modules/mysql2/promise.js:253:31)
I noticed the reference to #2131 and instructed my team to update the mysql certificate bundle so we could retest. We updated RDS to bundle rds-ca-rsa2048-g1. Trying mysql2 3.9.3 gives the same error.
I noticed the mysql2 issue: #2542 regarding the certificates and waited for the fix and for 3.9.4. We have tried again with 3.9.4 and get the same error on calls to createConnection.
If anyone is successfully using this package 3.9.3 or 3.9.4 with RDS, please let me know what steps are required to get past this error. Thanks!
The text was updated successfully, but these errors were encountered: