SSL connection error when trying to connect to mysql Aurora via the mysql CLI

4
votes

I will preface by saying I can connect to the DB instance when I'm not trying to go over SSL.

I am following this guide here

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html

I have ensured the db instance is public facing.

The security group of the VPC has the following rules:

Type Protocol Port Range Source
MySQL/Aurora (3306) TCP (6) 3306 my_ip_address/32
MySQL/Aurora (3306) TCP (6) 3306 sg-security_group_name

Where the security_group_name is the security group for my EC2 cluster.

I am using the cluser endpoint of my aurora cluster. And I've removed the port. I installed mysql on my machine using homebrew. This is the command I am trying from my local machine (macbook):

mysql -h blah-database-cluster.cluster-dfgdgfd.us-east-1.rds.amazonaws.com --ssl-ca=rds-ssl-ca-cert.pem --ssl-verify-server-cert

Where rds-ssl-ca-cert.pem is the file I downloaded from here:

http://s3.amazonaws.com/rds-downloads/rds-ssl-ca-cert.pem

I get the error:

ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

I have tried creating a new instance, rebooting etc and no joy. Does my security group need some kind of https rule?

Edit:

Further clue. When I run mysql --ssl locally it doesn't error. But when I do mysql show_variables, it says SSL false and the have_ssl and have_open_ssl variables don't exist. Could this be the problem? I installed the local mysql via homebrew package manager for mac.

New edit:

I re-installed mysql (previously from brew) and now direct from oracle and when I try to connect it gives a different error - SSL connection error: ASN: bad other signature confirmation

4
mysqlsslamazon-web-servicesamazon-rdsamazon-aurora
It's definitely not in the security group, since MySQL (unlike http) has a mechanism for negotiating the use of SSL and a separate port isn't needed. Out of curiosity, you are using the full DNS hostname when connecting, yes? What happens if you omit --ssl-verify-server-cert?Michael - sqlbot
@Michael-sqlbot Yes I'm using the full hostname. If I omit verify server cert I get the same error. If I omit ssl complete and try an ordinary mysql command line connection I can get in. I am thinking this means something about my client side mysql and ssl isn't working. I've noticed that have_ssl and have_open_ssl variables don't exist tooHard worker
Is the time on your local machine correct? Drifting clocks can cause errors with SSL.Mike Ryan
@MikeRyan Yes it's correct. It's in a different time zone to the server, but locally here the time is correct.Hard worker
Ok, timezones won't be an issue. Does it work if you connect directly to one of the DB node endpoints? i.e. not the cluster endpoint.Mike Ryan

4 Answers

7
votes

  1. At present the AWS Aurora documentation is linking to an out of date SSL certificate to use, hence the problem. This has been confirmed by the AWS support staff. Use this instead: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

  2. Even when using that certificate, connecting to the cluster end-point over SSL still doesn't work for the command line using mysql -h connection. If I change from the cluster end-point to the instance end-point strangely it works.

  3. Bizarrely, mysql workbench does connect over ssl, both to the instance end-point AND the cluster-end point.

1
votes

Use mysql with --skip-ssl option if you not using SSL.If nothing helps upgrade your mysql client

0
votes

From the docs it appears the restriction to the instance endpoint for SSL connections is a security constraint associated with the certificate.

Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. As a result, you cannot use the DB cluster endpoint to connect to the primary instance of the DB cluster using SSL.