与许多人一样,我已将我的 Amazon RDS 证书从 CA_2015 更新为 CA_2019。
起初一切似乎都很好,但后来检查时我发现我编写的用于查询数据库的 mysql lambda 函数不再起作用了。
Lambda 使用的是 nodejs 8.10
我收到以下错误:
{
"errorMessage": "unable to get local issuer certificate",
"errorType": "Error",
"stackTrace": [
"TLSSocket.<anonymous> (/var/task/node_modules/mysql2/lib/connection.js:383:46)",
"emitNone (events.js:106:13)",
"TLSSocket.emit (events.js:208:7)",
"TLSSocket._finishInit (_tls_wrap.js:639:8)",
"TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)"
]
}
当我将更改恢复回 CA_2015 时,它就可以正常工作了。
在编写 lambda 函数时我没有放任何证书或任何东西。
'use strict'
const AWS = require('aws-sdk')
const mysql = require('mysql2')
var dbPort = 3306
var dbUsername = 'enactor_lambda'
var dbName = 'rds_db_test'
var readerEndpoint = process.env.READER_ENDPOINT
var region = process.env.REGION
var topicArn = process.env.TOPIC_ARN
var alertBucket = process.env.ALERT_BUCKET
var queueThreshold = process.env.QUEUE_THRESHOLD
var pendingThreshold = process.env.PENDING_THRESHOLD
AWS.config.update({region: region})
var sns = new AWS.SNS()
var s3 = new AWS.S3()
var cloudwatch = new AWS.CloudWatch()
exports.handler = function (event, context, cb) {
var signer = new AWS.RDS.Signer()
signer.getAuthToken({
region: region,
hostname: readerEndpoint,
port: dbPort,
username: dbUsername
}, function (err, token) {
if (err) {
console.log(`Unable to retrieve authentication token (AWS.RDS.Signer.getAuthToken): ${err}`)
cb(err)
} else {
var connection = mysql.createConnection({
host: readerEndpoint,
port: dbPort,
user: dbUsername,
password: token,
database: dbName,
ssl: 'Amazon RDS',
multipleStatements: true,
authSwitchHandler: function (data, cb) {
if (data.pluginName === 'mysql_clear_password') {
cb(null, Buffer.from(token + '\0'))
}
}
})
connection.connect()
答案1
直到新证书合并到 mysql2,你可以解决这个问题下载新证书,COPY
将其添加到 Docker 镜像中,然后正在加载类似于
const fs = require('fs')
// ...code...
var connection = mysql.createConnection({
host: readerEndpoint,
port: dbPort,
user: dbUsername,
password: token,
database: dbName,
// Here's the change. Replace the path as appropriate.
ssl: { ca: fs.readFileSync(__dirname + '/rds-ca-2019-root.pem') },
multipleStatements: true,
authSwitchHandler: function (data, cb) {
if (data.pluginName === 'mysql_clear_password') {
cb(null, Buffer.from(token + '\0'))
}
}
})