How to configure sequalize & node mysql to use new aws rds root cert rds-ca-2019

Question

As AWS changes their root ssl cert for rds services 2019, the old certificate from 2015 looses its validity 03/2020. see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

How to I configure sequalize to use the new rds-ca-2019 certificate?

// current sequalize aws rds configuration as of working with 2015 cert
var sequelizeConfig = {
  ...
  host: "xyz.rds.amazonaws.com",
  dialectOptions": {
    ssl: 'Amazon RDS'
  }
}

I could not figure any option for adding a certificate manually using sequalize 3.x

If you want to validate the cert, see https://medium.com/soluto-nashville/best-security-practices-for-amazon-rds-with-sequelize-600a8b497804 — jarmod, Dec 15 '19 at 22:13
Thank you @jarmod, the blog post seems to contain the solution with the ca option. Gonna try out within the next days. — Manuel, Dec 23 '19 at 09:03
@ArunK the ca root cert changes, thus the app needs to know the new public key as of my understanding, otherwise it will not be able to connect to the db any more. Not sure, where sequelize gets the cert from? Or you think it is optaining it automatically? — Manuel, Dec 23 '19 at 09:06

score 6 · Accepted Answer · answered Jan 06 '20 at 20:14

Ensure you update to the latest node mysql package, this may resolve the issue in future.

As of now the new aws rds-ca-2019 ca certificate seems not yet to be merged. https://github.com/mysqljs/mysql/pull/2280

A temporary fix without ca validation:

var sequelizeConfig = {
  ...
  host: "xyz.rds.amazonaws.com",
  dialectOptions: {
    ssl: true
  }
}

and with certificate validation:

// get rds-ca-2019 certificate directly from aws https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem to ensure validity!!!
const fs = require('fs');
const rdsCa = fs.readFileSync(__dirname + '/rds-ca-2019-root.pem');

var sequelizeConfig = {
  ...
  host: "xyz.rds.amazonaws.com",
  dialectOptions: {
    ssl: {
      rejectUnauthorized: true,
      ca: [rdsCa]
    }
  }
}

thx @jarmod for linking and the post "Best Security Practices for Amazon RDS with Sequelize" by soluto-nashville showing the solution

Arun Kamalanathan · Answer 2 · 2019-12-15T22:29:13.663

0

I think the dialectOptions parameter should not be defined inside the pool but outside.

like this:

const sequelize = new Sequelize(dbname, username, password, {
  host: 'host name',
  dialect: 'mysql',
  dialectOptions: {
    ssl: 'Amazon RDS'
  },
  pool: {
    ...
  }
});

or like this:

const sequelize = new Sequelize(dbname, username, password, {
  host: 'host name',
  dialect: 'mysql',
  ssl: 'Amazon RDS'
  dialectOptions: {
    ...
  },
  pool: {
    ...
  }
});

edited Dec 15 '19 at 22:29

answered Dec 15 '19 at 21:57

Arun Kamalanathan

8,107
4
23
39

which method did you try – Arun Kamalanathan Dec 15 '19 at 22:29
As of my code both configuration options seem to work, however if I change my rds to the new cert I think I need to tell the node app the new root cert. I think the blog post linked by @jarmod contains the solution with the ca config parameter. I will try out within the next days. – Manuel Dec 23 '19 at 09:09
copying the configuration to stackoverflow caused incorrectness. Corrected my configuration, thus issue came from mysql package though. – Manuel Jan 06 '20 at 19:52

How to configure sequalize & node mysql to use new aws rds root cert rds-ca-2019

2 Answers2