Description:
We are currently using the mysqljs/mysql Node.js library to connect to a MySQL database hosted in the AWS environment. The database version we use is 5.7.mysql_aurora.2.11.5.
To connect to the database, we establish an SSL connection. The current CA we use is “rds-ca-2019,” which is expiring on August 22, 2024. We need to upgrade the CA to "rds-ca-rsa2048-g1." However, during this upgrade, we encounter the following error: "Unable to get local issuer certificate."
Upon investigation, we found that the SSL options described in the mysqljs/mysql library documentation for "Amazon RDS" refer to a certificate bundle. The current bundle does not include the "rds-ca-rsa2048-g1" certificate, causing the error. The SSL option "Amazon RDS" points to an outdated bundle link: "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem." This link needs to be updated to the latest bundle provided by AWS for RDS instances: "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem."
Can the library be updated to use the latest bundle so we can upgrade the CA on the RDS instance without any issues? Thank you.
How to repeat:
Try connecting to a MySQL RDS instance from Node.js using an SSL connection using this library mysql ( for node js ) . If you set SSL to 'Amazon RDS' and attempt to establish a connection using the MySQL library from Node.js to an RDS instance that uses "rds-ca-rsa2048-g1" as the CA, it will fail with the following message: "Unable to get local issuer certificate."
Suggested fix:
Please update the reference under the SSL options for "Amazon RDS" ( in Mysql library: "https://github.com/mysqljs/mysql?tab=readme-ov-file#ssl-options" to point to the latest bundle used by RDS: "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" instead of the outdated "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" which lacks the certificate for the latest CA.