Open headseed opened 1 month ago
naorpeled
commented
1 month ago Hey @headseed
I'm not 100% sure how to approach this yet, could you please share what you guys did programmatically in order to fix this issue if possible?
Thanks in advance
RidwaanManuel
commented
1 month ago I am also seeing the same issue in my test environment. Since Lambda Node.js 18 automatically loads Amazon-specific CA, the fix was easy. I just updated the SSL setting like this: ssl: { rejectUnauthorized: true }.
However, it would be preferable if the 'ssl: 'Amazon RDS'' setting worked as expected. Note that the mysql2 module worked as expected, and it seems this module is affected by the issue."
headseed
commented
1 month ago Hi @naorpeled and @RidwaanManuel,
Sorry for the delayed response...
Similarly to @RidwaanManuel , our programmatic solution in our Node.js v18 Lambdas was to use "ssl: { rejectUnauthorized: true }" instead of "ssl: 'Amazon RDS' ". However, when we tested this same approach with our Node.js v20 Lambdas, we get an error. There is a workaround for that v20 issue as well, which is to add the Lambda environment variable "NODE_EXTRA_CA_CERTS" with value "var/runtime/ca-cert.pem" to each of our Lambdas.
But back to @RidwaanManuel 's comment above, it would be preferable to have the "ssl: 'Amazon RDS' " setting working as expected once again, which worked perfectly for us the past year or two.
@CM96
We have successfully been using serverless-mysql for several years in our AWS implementation that uses Lambdas to connect to an AWS Aurora Serverless MySQL RDS instance. The Lambdas and RDS are in the same AWS account. We have always successfully used the "ssl: 'Amazon RDS' " setting in our connection object in all of our Node.js Lambdas.
However, in our RDS instance we recently upgraded our RDS certificate to "rds-ca-rsa2048-g1" from "rds-ca-2019". Now that we are using "rds-ca-rsa2048-g1", our Lambdas can no longer connect to our RDS. We receive "unable to get local issuer certificate" errors.
We assumed the "ssl: 'Amazon RDS'" setting in the connection string would automatically handle the new certificate, but that does not seem to be the case. The "ssl: 'Amazon RDS'" setting has always worked perfectly well with the old certificate.
We opened a Support Case with AWS and were able to resolve our issue programmatically, but I am reaching out to the serverless-mysql team in thoughts that you may want to implement a fix in the module so that the "Amazon RDS" setting will be able to successfully resolve the connection with the new certificate.