'SSL connection error when trying to connect to mysql Aurora via the mysql CLI
I will preface by saying I can connect to the DB instance when I'm not trying to go over SSL.
I am following this guide here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html
I have ensured the db instance is public facing.
The security group of the VPC has the following rules:
Type Protocol Port Range Source
MySQL/Aurora (3306) TCP (6) 3306 my_ip_address/32
MySQL/Aurora (3306) TCP (6) 3306 sg-security_group_name
Where the security_group_name is the security group for my EC2 cluster.
I am using the cluser endpoint of my aurora cluster. And I've removed the port. I installed mysql on my machine using homebrew. This is the command I am trying from my local machine (macbook):
mysql -h blah-database-cluster.cluster-dfgdgfd.us-east-1.rds.amazonaws.com --ssl-ca=rds-ssl-ca-cert.pem --ssl-verify-server-cert
Where rds-ssl-ca-cert.pem is the file I downloaded from here:
http://s3.amazonaws.com/rds-downloads/rds-ssl-ca-cert.pem
I get the error:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
I have tried creating a new instance, rebooting etc and no joy. Does my security group need some kind of https rule?
Edit:
Further clue. When I run mysql --ssl locally it doesn't error. But when I do mysql show_variables, it says SSL false and the have_ssl and have_open_ssl variables don't exist. Could this be the problem? I installed the local mysql via homebrew package manager for mac.
New edit:
I re-installed mysql (previously from brew) and now direct from oracle and when I try to connect it gives a different error - SSL connection error: ASN: bad other signature confirmation
amazon-web-services
amazon-rdsSolution 1:[1]
At present the AWS Aurora documentation is linking to an out of date SSL certificate to use, hence the problem. This has been confirmed by the AWS support staff. Use this instead: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Even when using that certificate, connecting to the cluster end-point over SSL still doesn't work for the command line using mysql -h connection. If I change from the cluster end-point to the instance end-point strangely it works.
Bizarrely, mysql workbench does connect over ssl, both to the instance end-point AND the cluster-end point.
Solution 2:[2]
Use mysql with --skip-ssl option if you not using SSL.If nothing helps upgrade your mysql client
Solution 3:[3]
From the docs it appears the restriction to the instance endpoint for SSL connections is a security constraint associated with the certificate.
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. As a result, you cannot use the DB cluster endpoint to connect to the primary instance of the DB cluster using SSL.
Solution 4:[4]
FYI please try using this key as well (from Amazon docs)
https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Solution 5:[5]
For me I had to use:
mysql --ssl-mode=DISABLED -u [USER] -p[PASSWORD] -h [HOST] [DB]
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Hard worker |
| Solution 2 | |
| Solution 3 | Jay Carlton |
| Solution 4 | kskiran |
| Solution 5 | Mauvis Ledford |