Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERR_TLS_CERT_ALTNAME_INVALID error when using CNAME as host name for RDS connection #2172

Open
pawelusfr opened this issue Aug 14, 2023 · 6 comments · May be fixed by #2295
Open

ERR_TLS_CERT_ALTNAME_INVALID error when using CNAME as host name for RDS connection #2172

pawelusfr opened this issue Aug 14, 2023 · 6 comments · May be fixed by #2295

Comments

@pawelusfr
Copy link

We have a CNAME set in Route53 for our RDS cluster. When using that CNAME as host for MySQL connection we are getting ERR_TLS_CERT_ALTNAME_INVALID error (Hostname/IP does not match certificate's altnames).

SSL option in configuration is set to ssl: 'Amazon RDS'.

This is because the certificate from RDS doesn't have the CNAME listed as altname and AFAIK there is no way to do that in RDS.

This was working fine in mysql2 3.5.0 and broke in 3.5.1 with #2119 and the switch to Tls.connect.
@sidorares
Copy link
Owner

Are you able to connect if you set rejectUnauthorized to false?

Is the error coming from

node-mysql2/lib/connection.js

Lines 375 to 377 in 48c2b8d

if (serverIdentityCheckError) {
onSecure(serverIdentityCheckError);
return;
or from

node-mysql2/lib/connection.js

Line 385 in 48c2b8d

if (secureEstablished) {
?

@sidorares
Copy link
Owner

Maybe we need to add SNICallback to handle your scenario

@pawelusfr
Copy link
Author

Yes I can connect with rejectUnauthorized: false.

The error is coming from

node-mysql2/lib/connection.js

Line 385 in 48c2b8d

if (secureEstablished) {

One possible workaround would be allowing to pass custom checkServerIdentity function to Tls.connect() (I did a quick check and it will connect if that custom function allows it). This way clients could write their own identity handling for such cases (I believe that's what e.g. pg allows for Postgres).
Though it couldn't be used in conjunction with ssl: 'Amazon RDS' as one would have to pass an object to ssl. That means the client would need a string version of the Amazon certs. Maybe you could add an export of it from mysql2 for such cases?

@sidorares
Copy link
Owner

sidorares commented Aug 16, 2023
edited

I'm actually thinking to deprecate "Amazon RDS" and move it to a separate package, something along the line

import amazonRdsSslProfile from "amozon-rds-certs";  // package name TBD


const conn = mysql.createConnection({
   ssl: {
      ...amazonRdsSslProfile,
      checkServerIdentity: () => null,
   }
}

Maybe you could add an export of it from mysql2 for such cases?
I'd rather go with separate package, not worth exporting if there is a plan to deprecate built in buntle

What needs to be done:

  • publish a "rds profile only" package ( with updated certs from Update Amazon RDS SSL CA cert #2131
  • use a "rds profile only" package as a dependency
  • add a warning when "Amazon RDS" string is passed as ssl parameter, with instructions on how to switch to external package ( minor version )
  • remove "rds profile only" package dependency, throw an error when "Amazon RDS" string is passed as ssl parameter, with instructions on how to switch to external package ( major version )

@sidorares
Copy link
Owner

@dougwilson wdyt about above, with profile repo under mysqljs org, and mysqjs/mysql referencing it in a similar way ( with similar deprecation steps )

@sidorares sidorares mentioned this issue Aug 17, 2023
Open
@dougwilson
Copy link
Collaborator

Hi @sidorares that ia a good idea! Sorry I was away, but I am just getting back now and replying to issues 😅. I'll actually set it up here this weekend. I figure it just is an export of the list in the same format Node.js accepts, of course.

@jonasduever jonasduever mentioned this issue Sep 27, 2023
Closed
@brandonjfeldkamp brandonjfeldkamp linked a pull request Nov 22, 2023 that will close this issue
Open
@wellwelwel wellwelwel mentioned this issue Jan 13, 2024
Closed
@juanheyns juanheyns mentioned this issue Jan 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add checkServerIdentity override brandonjfeldkamp/node-mysql2
3 participants
@dougwilson @sidorares @pawelusfr