-
-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HANDSHAKE_SSL_ERROR with RDS and 3.9.3+ #2581
Comments
a bit more info, we are using the AWS RDS Proxy service between the lambda and RDS and our connection options passed to createConnection are
|
Thanks, @mattmbrightside. That clarifies things 🙋🏻♂️ Unfortunately, even with a RDS in hand, I wouldn't be able to reproduce this error, since it will be created with one of the new certificates. @sidorares, I think it's important to move this responsibility to a separate dependency soon for more flexibility. Users will soon be alerted to update to version ^3.9.4. I thought of these possibilities:
B) Just combine all the certificates into a larger file until we think about a major release (this option is independent of a new dependency). |
I would love to help reproduce this error (and create a PR with a fix), but I seem to be having some difficulty doing so. Amazon RDS Config is
This works fine and I'm able to query the database through mysql2. Anything else you'd like me to check? Could be related to the proxy. |
@wellwelwel I created https://github.com/mysqljs/aws-ssl-profiles and added you as a maintainer Intended use when it's ready would be something along the lines import awsCaBundle from 'aws-ssl-profiles';
const connection = mysql.createConnection({
//...
ssl: awsCaBundle
})l |
If only RDS would have just used public certificates like Azure 🤦♂️ |
Really thanks, @jeffrey-mutual 🤝 When looking into 675dd04, it's possible to see that not all old certificates have been changed, which would explain why only some servers return the authentication error. |
I guess I got lucky then. Both of my databases work on 3.9.4. Without a repro I probably won't work on the PR since I wouldn't easily be able to validate the fix. |
We have the same issue, we also use RDS Proxy. I found the following information from AWS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.howitworks.html#rds-proxy-security.tls: When using a client with --ssl-mode VERIFY_CA or VERIFY_IDENTITY, specify the --ssl-ca option pointing to a CA in .pem format. For the .pem file to use, download all root CA PEMs from Amazon Trust Services and place them into a single .pem file. https://www.amazontrust.com/repository/ has 5 root CA's, I am going to add them manually to our setup and see if that resolves the problem. |
Well, that actually did the trick. So there you have it. When you connect to RDS through RDS Proxy, you need the Amazon Root CA's which you can find on the website I posted in the comment above. |
I can also confirm that adding those certs to the certificate chain fixes the issues for me, using RDS Proxy. Maybe they can just be added to the chain in this repo while the certificates package isn't done yet? |
Same problem with Azure when using Nextjs 14
|
using mysql2 with AWS nodejs lambdas and AWS RDS.
As of March 2024, our RDS instance was still on the 2019 certificate bundle. Versions of mysql2 <3.9.3 were working fine with calls to createConnection. We updated a project to 3.9.3 and started getting these errors:
{"errorType":"Error","errorMessage":"unable to get local issuer certificate","code":"HANDSHAKE_SSL_ERROR","message":"unable to get local issuer certificate","stack":["Error: unable to get local issuer certificate"," at fn (/private/var/folders/48/8n9w9qzn17s1gpq7tjs3cnv40000gp/T/tmplakzpggq/node_modules/mysql2/promise.js:253:31)
I noticed the reference to #2131 and instructed my team to update the mysql certificate bundle so we could retest. We updated RDS to bundle rds-ca-rsa2048-g1. Trying mysql2 3.9.3 gives the same error.
I noticed the mysql2 issue: #2542 regarding the certificates and waited for the fix and for 3.9.4. We have tried again with 3.9.4 and get the same error on calls to createConnection.
If anyone is successfully using this package 3.9.3 or 3.9.4 with RDS, please let me know what steps are required to get past this error. Thanks!
The text was updated successfully, but these errors were encountered: