Enable SSL on Aurora AWS Serverless MySQL

0
votes

I want to set up an Encrypted connection from my Ubuntu Server to an Aurora Serverless MySQL with engine version 5.7, however SSL seems to be disabled on the service by default.

show variables like '%ssl%';
| Variable_name | Value
                                                                                                                                                                                                                                                                                                
| have_openssl  | DISABLED                                                                                                                                                                                                                                                                                             |
| have_ssl      | DISABLED

This is unlike Aurora RDS where using SSL is pretty straightforward and enabled by default.

This is the error:

mysql -h <cluster-endpoint> -u <username> -p --ssl-ca=rds-ca-2019-us-east-1-bundle.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Mysql client version

mysql  Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using  EditLine wrapper

Parameter Group settings are default.

The error seems to be similar to the ones addressed here but the message is completely different.

https://aws.amazon.com/premiumsupport/knowledge-center/rds-error-2026-ssl-connection/

The TLS/SSL for Serverless documentation seems to suggest the usage is basically the same for RDS and Serverless.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.tls

I am pretty much a Database Noob, any troubleshooting help would be appreciated.

1
mysqlamazon-web-servicessslamazon-auroraaws-aurora-serverless
Have you read this? docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/… You don't need to specify that CA certificate bundle file when connecting to Aurora Serverless, since it uses AWS ACM SSL certificates.Mark B
What confused me about that note is that they say "you don't need to use the RDS certs", the language lead me to believe that it still works with RDS bundle. Does Aurora Serverless only work with ACM generated Certs? and why is the 'have_ssl' variable still set to DISABLED?Quest_Bot_3000
Yes, you would need to either not specify the bundle file (because the ACM root certificate is probably already loaded on your server) or specify the ACM root certificate bundle, which is different from the RDS root certificate bundle (there's a link to this file at the bottom of that page I linked).Mark B

1 Answers

0
votes

There are two important things you need to know about Aurora Serverless.

  1. The use of SSL is highly recommended and it’s the first choice for establishing a new connection. So you don't need to do anything about that. You definitely don't need to download SSL/TLS certificates and in fact you shouldn't. Let the rotation and management of certificates on Aurora. It makes your life simpler.

  2. Based on the official documentation [1] - checking have_openssl or have_ssl is not the right thing to validate your connection uses SSL. You need to use --ssl-mode parameter to validate that.

[1] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.tls

You can ensure that your session uses TLS between your client and the Aurora Serverless VPC endpoint. To do so, specify the requirement on the client side with the --ssl-mode parameter.