We’re trying to get an RDS mysql database registered with our dev env Vault instance (running in DEV mode).
It works as expected if the DB doesn’t require a tls connection at the DBMS level but if it does, we need to add tls=true to the connection string. When we do that, it throws this error
- error creating database object: error verifying - ping: tls: failed to verify certificate: x509: certificate signed by unknown authority
Our cli command looks like this (with obvious redactions)
vault write database/config/mysql
plugin_name=mysql-rds-database-plugin
allowed_roles=“*”
connection_url=“{{username}}:{{password}}@tcp(myrdsdb.alphabetsoup.us-east-1.rds.amazonaws.com:3306)/defaultdb?tls=true&ssl-mode=required”
username=“fakeUser”
password=“notTheRealPassword”
Note: setting the ssl-mode=required parameter was our attempt to “trust” the server cert, but that didn’t help.
Further note: we can get this to work using jdbc, and the mysql client directly, but for some reason the mysql plugin doesn’t love us.
Does anyone know the blindingly obvious thing we’re missing?
1 Like
I am not too familiar with AWS RDS, so hopefully someone else can chime in, but it looks like you have to download a CA Cert from Amazon. It seems they self-sign their RDS certs, but you can download the CA Cert so that applications can trust it.
-
Choose the certificate authority (CA) that signs the DB server certificate, for your database. For more information about certificate authorities, see Certificate authorities.
-
Download a certificate bundle to use when you are connecting to the database. To download a certificate bundle, see Certificate bundles by AWS Region.
Then take a look at this Vault documentation as the plugin supports using MySQL’s x509 Client-side Certificate Authentication.
vault write database/config/example \
plugin_name=mysql-rds-database-plugin \
... # omitted
tls_certificate_key=@/path/to/client.pem \
tls_ca=@/path/to/client.ca
Hey @michaelkosir - thanks a ton for chiming in. Your input helped clarify our thinking and got us to a resolution.
Turns out we had to do something like this (PowerShell code):
$caContent = Get-Content -Path “C:\Users\myID.certificates\us-east-1-bundle.pem” -Raw
vault write database/config/mysql
plugin_name=mysql-rds-database-plugin
allowed_roles=“*”
tls_ca=$caContent
connection_url=“{{username}}:{{password}}@tcp(fakemysqlinstance.alphabetsoup.us-east-1.rds.amazonaws.com:3306)/defaultdb?ssl=true”
username=“nottheuser”
password=“myfakepwd”
The key here is that the ts_ca parameter doesn’t take a file, it requires the actual contents of the pem. We couldn’t use the RDS global-bundle.pem file since that has way too many certs in it, so we had to use the region bundle.
1 Like