Mysql: Not able to connect to Aurora RDS Postgres using "Amazon RDS" Profile after Scheduled Maintenance

Created on 15 Jan 2020  路  17Comments  路  Source: mysqljs/mysql

Recently, AWS RDS had a required maintenance for updating certs.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

After this maintenance was completed, we are no longer able to connect to AWS RDS Aurora Postgres using the "Amazon RDS" Profile for SSL.

We are getting below error.

Error:
Cannot connect to Database
2020-01-14 14:43:35{ Error: unable to get local issuer certificate
2020-01-14 14:43:35at TLSSocket.<anonymous> (/opt/app/node_modules/mysql/lib/Connection.js:320:48)
2020-01-14 14:43:35at TLSSocket.emit (events.js:182:13)
2020-01-14 14:43:35at TLSSocket.EventEmitter.emit (domain.js:442:20)
2020-01-14 14:43:35at TLSSocket._finishInit (_tls_wrap.js:629:8)
2020-01-14 14:43:35--------------------
2020-01-14 14:43:35at Protocol._enqueue (/opt/app/node_modules/mysql/lib/protocol/Protocol.js:144:48)
2020-01-14 14:43:35at Protocol.handshake (/opt/app/node_modules/mysql/lib/protocol/Protocol.js:51:23)
2020-01-14 14:43:35at PoolConnection.connect (/opt/app/node_modules/mysql/lib/Connection.js:119:18)
2020-01-14 14:43:35at Pool.getConnection (/opt/app/node_modules/mysql/lib/Pool.js:48:16)
2020-01-14 14:43:35at /opt/app/node_modules/typeorm/driver/mysql/MysqlDriver.js:757:18
2020-01-14 14:43:35at new Promise (<anonymous>)
2020-01-14 14:43:35at MysqlDriver.createPool (/opt/app/node_modules/typeorm/driver/mysql/MysqlDriver.js:754:16)
2020-01-14 14:43:35at MysqlDriver.<anonymous> (/opt/app/node_modules/typeorm/driver/mysql/MysqlDriver.js:267:51)
2020-01-14 14:43:35at step (/opt/app/node_modules/tslib/tslib.js:133:27)
2020-01-14 14:43:35at Object.next (/opt/app/node_modules/tslib/tslib.js:114:57)
2020-01-14 14:43:35at /opt/app/node_modules/tslib/tslib.js:107:75
2020-01-14 14:43:35at new Promise (<anonymous>)
2020-01-14 14:43:35at Object.__awaiter (/opt/app/node_modules/tslib/tslib.js:103:16)
2020-01-14 14:43:35at MysqlDriver.connect (/opt/app/node_modules/typeorm/driver/mysql/MysqlDriver.js:252:24)
2020-01-14 14:43:35at Connection.<anonymous> (/opt/app/node_modules/typeorm/connection/Connection.js:113:58)
2020-01-14 14:43:35at step (/opt/app/node_modules/tslib/tslib.js:133:27)
2020-01-14 14:43:35at Object.next (/opt/app/node_modules/tslib/tslib.js:114:57)
2020-01-14 14:43:35at /opt/app/node_modules/tslib/tslib.js:107:75
2020-01-14 14:43:35at new Promise (<anonymous>)
2020-01-14 14:43:35at Object.__awaiter (/opt/app/node_modules/tslib/tslib.js:103:16)
2020-01-14 14:43:35at Connection.connect (/opt/app/node_modules/typeorm/connection/Connection.js:105:24)
2020-01-14 14:43:35at Object.<anonymous> (/opt/app/node_modules/typeorm/index.js:196:82) code: 'HANDSHAKE_SSL_ERROR', fatal: true }

Since AWS RDS has updated their certs, would the "Amazon RDS" Profile need to be updated in this repo?

Any help would be appreciated.

picture ksaleemL1
👍7

Most helpful comment

Hi every 馃憢 a new version of this module with the new Amazon RDS root certificate will be published later today (edit: Jan 20) for everyone, at which time this issue will close out.

I'm a little confused with "Aurora RDS Postgres" mentioned here; I can only assume (like @NickKellett ) that is a typo, otherwise I believe it was probaly reported to the wrong place.

picture dougwilson on 19 Jan 2020
👍3 👀1

All 17 comments

Same problem using Aurora MySQL (am assuming that's what is meant by the OP). In case it helps, here's a similar thread from another repo where they updated their certificate reference: https://github.com/getredash/redash/issues/4290

NickKellett picture NickKellett on 19 Jan 2020

Hi every 馃憢 a new version of this module with the new Amazon RDS root certificate will be published later today (edit: Jan 20) for everyone, at which time this issue will close out.

I'm a little confused with "Aurora RDS Postgres" mentioned here; I can only assume (like @NickKellett ) that is a typo, otherwise I believe it was probaly reported to the wrong place.

dougwilson picture dougwilson on 19 Jan 2020
👍3 👀1

@dougwilson will that update also be applied to version 3.30.4?

scriptsure picture scriptsure on 20 Jan 2020

Version 3.30.4 of what?

dougwilson picture dougwilson on 20 Jan 2020

@dougwilson sorry nick had referenced this in a sequelize post that i created. I am using 3.30.4 of sequelize and was wondering if it will work with that version. Sounds like it will if i upgrade my mysql client? to what version?

scriptsure picture scriptsure on 20 Jan 2020

Sorry I'm not familiar with sequelize. They may or may not need to update as well. I would suggest to open an issue on their project to track this.

dougwilson picture dougwilson on 20 Jan 2020

@dougwilson i did you can see above the AWS Certificate Authority #11839... thnx

scriptsure picture scriptsure on 20 Jan 2020

Hi @ksaleemL1 , please test the latest version on GitHub in your environment so we can make sure that it fixed your issue before I close this out. Instructions are in the install section: https://github.com/mysqljs/mysql#install

dougwilson picture dougwilson on 21 Jan 2020

@dougwilson that inclusion of 2019 CA, is that in version 2.17.1?

scriptsure picture scriptsure on 21 Jan 2020

@dougwilson is there still a plan to move bundled certificates to a separate module?

sidorares picture sidorares on 21 Jan 2020

Yes, and I have an automated script to download them and keep up to date. I just released as-is for now so I wasn't getting constant messages :laughing:

dougwilson picture dougwilson on 21 Jan 2020

Great, thanks for update ;) I don't feel as much pressure as you so I'll just wait for that module

sidorares picture sidorares on 21 Jan 2020

By the way @ksaleemL1 have you been able to test the new changes to see if your issue is resolved?

dougwilson picture dougwilson on 22 Jan 2020

@dougwilson Appreciate the quick fix. We had deployed an alternative solution where we manually download the certs and then reference them in the SSL section which worked for us. Having that said, it's going to be hard for me to test this out without rolling back my changes.

ksaleemL1 picture ksaleemL1 on 22 Jan 2020

Thanks @ksaleemL1 , understandable. I will clos this issue for now, but if you're able to test at some point in the future and find it doesn't work, please let us know.

dougwilson picture dougwilson on 22 Jan 2020

@dougwilson this issue still exists after i updated the mysql client... any ideas?

SequelizeConnectionError: unable to get local issuer certificate

scriptsure picture scriptsure on 4 Feb 2020

Please open a new issue and provide all the details so I can reproduce the issue and debug it. You're also welcome to make a pull request with the fix. If debugging it requires access to a paid service, let me know and we can communicate off github so you can provide credentials to test :+1:

dougwilson picture dougwilson on 4 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

abou7mied picture abou7mied  路  4Comments
whatthehell232 picture whatthehell232  路  3Comments
tbaustin picture tbaustin  路  3Comments
skilbjo picture skilbjo  路  3Comments
wahengchang picture wahengchang  路  3Comments