Getting Mysql2::Error (SSL connection error: ASN: bad other signature confirmation) on Heroku App with AWS RDS

6
votes

Mysql2::Error (SSL connection error: ASN: bad other signature confirmation):

I am making an administration site. The environment is Rails 4.2 and Ruby 2.2, connecting AWS RDS with Heroku server. I don't know why getting this error. It suddenly appeared. I can't find any errors other than this. Although I passed my codes two days ago, I got this error this time.(I haven't touched this code while the two days.)

How can I solve this problem?

2
mysqlruby-on-railssslherokuamazon-web-services
And then, I thought this error was caused by SSL Certificate Rotation. I confirmed ssl certificate is updated, rds-ca-2015, and already rebooted, but nothing changes. I'm still stacked! Please help me!Toshihiro Yokota

2 Answers

26
votes

For me, this had to do with the RDS SSL Certificate Rotation that happened on April 3rd, 2015.

However, in my case, just using the root certificate did not work, and I had to use a intermediate certificate for my region as well. Details:

  1. Go into the AWS rds console and reboot your RDS instance.

  2. Download the new root certificate https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem. Put it into the config directory of your app.

  3. Download the intermediate certificate for your database region here. I had to use the US east one, but you will have to pick the one for your region.

  4. This is the key step. You need to combine the intermediate certificate and the root certificate into one file so that the intermediate certificate is above the root certificate, forming a certificate chain. Open the intermediate certificate using a text editor, copy its contents, and paste them into config/rds-ca-2015-root.pem, on top, above the root certificate. So, after you are done, config/rds-ca-2015-root.pem should be the intermediate certificate followed by the root certificate, all in this file.

  5. Get your current database url

heroku config

and then look for the DATABASE_URL property

  1. Update your database URL to use the new certificate file. All you should have to change is the name of the certificate (since its now called rds-ca-2015-root.pem)
heroku 
config:add DATABASE_URL="mysql2://DB_NAME:DB_PASSWORD@DB_URL/DB_NAME?sslca=config/rds-ca-2015-root.pem"
  1. Commit the changes and redeploy to Heroku.
1
votes

Four years later (2019) and AWS are rotating CA certs again, as expected.

RDS users are recommended to switch from the 2015 cert to the 2019 cert by 2019-11-01, and "no later than" 2020-02-05. The 2015 certificates expire on 2020-03-05.

I used the following procedure, based on RDS' Rotating Your SSL/TLS Certificate guide.

  1. Schedule downtime
  2. Download new certificates, save in config
  • Only the root cert is needed: rds-ca-2019-root.pem
    • The instructions mention a 2015+2019 bundle, but I couldn't find it. This file is 2019 only.
  • Region-specific intermediate certs are not needed
  1. Commit, but don't deploy yet
  2. heroku maintenance:on
  3. In RDS web console, modify server
  • In the Network & Security section, choose rds-ca-2019
  • Apply changes immediately
  1. Scale dynos down to 0
  2. heorku config:set DATABASE_URL=mysql2://myuser:[email protected]/mydb?sslca=config/rds-ca-2019-root.pem
  3. Deploy
  4. Scale dynos up, watch logs
  5. heroku maintenance:off

There are many reasonable variations on this procedure, this is just what worked for me.