-
-
Notifications
You must be signed in to change notification settings - Fork 627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Amazon RDS SSL CA cert #2131
Conversation
Thanks @alexjurkiewicz ! |
I'm curious why the need for 115 certs - can we just have the 4 root instead? |
I didn't check the cert tree very closely but I don't think there are four roots. Each certificate in this bundle is signed only by itself. For what it's worth, most mysql-client implementations don't validate the server's identity. They only use the certificate for encryption. Reducing default ssl mode strictness might be an even simpler (albeit still major semver) change for you. |
also there are GovCloud 10 certs in https://truststore.pki.us-gov-west-1.rds.amazonaws.com/global/global-bundle.pem |
The following certificate chain is used for connections with aurora serveless and RDS proxy. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
example
Currently, I am able to verify with /~https://github.com/sidorares/node-mysql2/blob/master/lib/constants/ssl_profiles.js#L1089-L1107 |
Guys, it will be great if someone with access to the original mysql lib (/~https://github.com/mysqljs/mysql/issues) can report this also there. I'm unable to open an issue in that project, as I'm not in the collaboration list. Not sure if still maintained as has not been updated in 4 years, but worth trying. Cheers. |
Hi @jhbarrantes I am updating the certs there too. I'll have a release with them soon. Apologies there was some spam to the repo so it was temp measure. |
Nothing to apologize, glad to hear you're already patching the other one as well. Thank you very much @dougwilson |
Hey guys, thanks a lot for this maintenance work! |
Can this be merged in soon? I've been waiting to update my RDS instances for the new certs to be merged in. The deadline is a few months out. https://aws.amazon.com/blogs/aws/rotate-your-ssl-tls-certificates-now-amazon-rds-and-amazon-aurora-expire-in-2024/ |
@lbadger I'll try to find some time soon to review and potentially merge, but you can always just download certs manually and use your own ssl config |
Hello! Commenting here to give more visibility on AWS timelines, as this can be time sensitive for some people using IAM authentication for RDS databases:
|
This comment has been minimized.
This comment has been minimized.
our development environment just stopped working because of this. It would be great if this can be addressed soon 🙏🏽 |
Same here. After getting errors, we bundle the new eu-central-1-bundle.pem RDS certificate manually with our app instead of relying on the |
Can this be merged? |
@wellwelwel I'm thinking to merge this, though the better solution would be to extract profiles to separate repo and use it as a dependency ( here and mysqljs/mysql ) and then later as a semver major release make it optional dependency and add documentation on how to use it ( and explain in details in the error message when I guess this should be a semver minor release? |
@sidorares, we can merge this PR in a similar way to what was done when deciding the "typeCast for execute".
About this, I believe this could be done in a further About minor or patch:
Yes, agreed 🙋🏻♂️ |
Released in v3.9.3 🚀 |
Hello, this release has broken my connection to my Aurora MySQL instance:
I was able to resolve this issue by reverting back to v3.9.2 |
Fixes #2130.
The new cert chain is significantly longer, there are 115 certs now. This reflects the fact there are four CA root types with per-region unique certificates.