remote SSL Connection to AWS(Keypairs) using PHP

1
votes

I am trying to connect to an AWS RDS instance using SSL but I keep getting this error:

mysqli_real_connect(): Unable to set private key file

What im doing is this:

  1. Generate key pairs in AWS, keep private key.
  2. Use OpenSSL to get the cert.pem using this command and the private key that I got from AWS: openssl req -newkey rsa:2048 -nodes -keyout private-key-generated-by-AWS.pem -x509 -days 365 -out certificate.pem
  3. I downloaded the cacert.pem from this website: https://curl.haxx.se/docs/caextract.html

Here is my code: 

mysqli_ssl_set($con,"sshconn.pem","certificate.pem","cacert.pem",NULL,NULL); 

if (!mysqli_real_connect($con,"myAWSendpoint","username","password","DBname"))
  {
  die("Connect Error: " . mysqli_connect_error());
  }

mysqli_close($con);
?>

I am pretty sure I am not setting my private key correctly but I don't know what I'm doing wrong, any suggestions? Thank you!

1
phpamazon-web-servicesssl
Using this key pair, are you able to connect to RDS over SSL using the mysql command line per the docs? - bishop
No I am not, I get the error I mentioned in the code - Mario Landa
So, your key set is bad, or not in the expected format. - bishop
Correct, thats why I wrote down the steps in my question, my guess is that the steps I took are wrong, do you see anything that I might have done wrong? - Mario Landa

1 Answers

2
votes

AWS RDS uses server side authentication, not client side. You'll need to the master password once you setup the SSL connection or whatever users you have provisioned inside the DB or IAM users.

https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html

A root certificate that works for all regions can be downloaded at https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem

Intermediates are here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport