使用 MySQL Lambda 更新 Amazon RDS 证书 SSL 问题

tag-icon tag-icon amazon-web-services ssl ssl-certificate amazon-rds amazon-lambda
使用 MySQL Lambda 更新 Amazon RDS 证书 SSL 问题

与许多人一样,我已将我的 Amazon RDS 证书从 CA_2015 更新为 CA_2019。

起初一切似乎都很好,但后来检查时我发现我编写的用于查询数据库的 mysql lambda 函数不再起作用了。

Lambda 使用的是 nodejs 8.10

我收到以下错误:

{
    "errorMessage": "unable to get local issuer certificate",
    "errorType": "Error",
    "stackTrace": [
        "TLSSocket.<anonymous> (/var/task/node_modules/mysql2/lib/connection.js:383:46)",
        "emitNone (events.js:106:13)",
        "TLSSocket.emit (events.js:208:7)",
        "TLSSocket._finishInit (_tls_wrap.js:639:8)",
        "TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)"
    ]
}

当我将更改恢复回 CA_2015 时,它就可以正常工作了。

在编写 lambda 函数时我没有放任何证书或任何东西。

 'use strict'

const AWS = require('aws-sdk')
const mysql = require('mysql2')

var dbPort = 3306
var dbUsername = 'enactor_lambda'
var dbName = 'rds_db_test'

var readerEndpoint = process.env.READER_ENDPOINT
var region = process.env.REGION
var topicArn = process.env.TOPIC_ARN
var alertBucket = process.env.ALERT_BUCKET
var queueThreshold = process.env.QUEUE_THRESHOLD
var pendingThreshold = process.env.PENDING_THRESHOLD

AWS.config.update({region: region})
var sns = new AWS.SNS()
var s3 = new AWS.S3()
var cloudwatch = new AWS.CloudWatch()

exports.handler = function (event, context, cb) {
  var signer = new AWS.RDS.Signer()

  signer.getAuthToken({
    region: region,
    hostname: readerEndpoint,
    port: dbPort,
    username: dbUsername
  }, function (err, token) {
    if (err) {
      console.log(`Unable to retrieve authentication token (AWS.RDS.Signer.getAuthToken): ${err}`)
      cb(err)
    } else {
      var connection = mysql.createConnection({
        host: readerEndpoint,
        port: dbPort,
        user: dbUsername,
        password: token,
        database: dbName,
        ssl: 'Amazon RDS',
        multipleStatements: true,
        authSwitchHandler: function (data, cb) {
          if (data.pluginName === 'mysql_clear_password') {
            cb(null, Buffer.from(token + '\0'))
          }
        }
      })

      connection.connect()

答案1

直到新证书合并到 mysql2,你可以解决这个问题下载新证书COPY将其添加到 Docker 镜像中,然后正在加载类似于

const fs = require('fs')

// ...code...

var connection = mysql.createConnection({
  host: readerEndpoint,
  port: dbPort,
  user: dbUsername,
  password: token,
  database: dbName,
  // Here's the change. Replace the path as appropriate.
  ssl: { ca: fs.readFileSync(__dirname + '/rds-ca-2019-root.pem') },
  multipleStatements: true,
  authSwitchHandler: function (data, cb) {
    if (data.pluginName === 'mysql_clear_password') {
      cb(null, Buffer.from(token + '\0'))
    }
  }
})

相关内容