I've been using Node.js LTS with RDS MySQL databases for some time. I recently spun up a RDS serverless Aurora MySQL 5.6 cluster. Unlike my other RDS databases, I can't get Node.js to connect to the new serverless cluster with SSL using the Node mysql or mysql2 adapters.
From a single Ubuntu instance with a single Node.js app:
I can successfully connect the Node app to any of my older RDS databases (MySQL 5.6.40) using SSL:
// works with other RDS databases:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.old_rds_host,
database: config.old_rds_database,
user: config.old_rds_user,
password: config.old_rds_password,
port: config.rds.port,
ssl: {
ca: fs.readFileSync(__dirname + '/../rds-combined-ca-bundle.pem')
}
}
var connection = mysql.createConnection(connectionArgs);
From the same machine, I can connect with SSL to the new RDS cluster using the MySQL client without issues:
// Works with new RDS serverless cluster:
mysql -u rds_serverless_user -p -h new-rds-serverless-cluster.us-west-2.rds.amazonaws.com -P 3306 --ssl --ssl-ca=./rds-combined-ca-bundle.pem
I can successfully connect the Node app to the new serverless cluster without SSL:
// Works with new RDS serverless cluster:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.rds_host,
database: config.rds_serverless_database,
user: config.rds_serverless_user,
password: config.rds_serverless_password,
port: config.rds.port
}
var connection = mysql.createConnection(connectionArgs);
But when I try to connect to the new serverless cluster with the SSL cert, I get an error that the server does not support a secure connection:
// Fails with new RDS serverless cluster:
const fs = require('fs');
const mysql = require('mysql2');
const config = require('../config');
var connectionArgs = {
host: config.rds_host,
database: config.rds_serverless_database,
user: config.rds_serverless_user,
password: config.rds_serverless_password,
port: config.rds.port,
ssl: {
ca: fs.readFileSync(__dirname + '/../rds-combined-ca-bundle.pem')
}
}
var connection = mysql.createConnection(connectionArgs);
Debug: internal, implementation, error
Error: Server does not support secure connnection
at ClientHandshake.handshakeInit (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/commands/client_handshake.js:120:17)
at ClientHandshake.Command.execute (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/commands/command.js:40:20)
at Connection.handlePacket (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:513:28)
at PacketParser.onPacket (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:81:16)
at PacketParser.executeStart (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/packet_parser.js:76:14)
at Socket.<anonymous> (/home/deploy_user/my-node-rds-app/node_modules/mysql2/lib/connection.js:89:29)
at emitOne (events.js:116:13)
at Socket.emit (events.js:211:7)
at addChunk (_stream_readable.js:263:12)
at readableAddChunk (_stream_readable.js:250:11)
at Socket.Readable.push (_stream_readable.js:208:10)
at TCP.onread (net.js:601:20)
So what's different? The only obvious difference between the older RDS databases and the new serverless cluster is that the old instances are MySQL 5.6.40 and the new RDS cluster is Aurora MySQL 5.6.10a. Also the older RDS instance hostnames resolve to a single private IP while the new cluster hostname resolves to multiple private IPs.
I get the same results using the mysql adapter. I've also tried the "Amazon RDS" SSL profile in the mysql adapter and get the same results.
I cannot use the IAM database auth because this service will need to handle more than 20 new connections/second.
Any advice would be greatly appreciated.
status
command from cli client? ( or maybeSHOW STATUS LIKE 'Ssl_cipher';
query )? Just trying to double check that command line client is actually connected securely and not silently downgraded you to plaintext connection as it's only available option – Andrey Sidorovdebug: true
flag and post some relevant lines from logs? ( esp server flags ) – Andrey Sidorov--ssl-mode=REQUIRED
I get backERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
. – user2700992