Bug #115643 MysqlJs library to be updated for SSL option while connecting to "Amazon RDS"
Submitted: 18 Jul 20:00 Modified: 19 Jul 8:39
Reporter: Manoj Rajasekar Email Updates:
Status: Unsupported Impact on me:
None 
Category:MySQL Cluster: Node.js client Severity:S2 (Serious)
Version: OS:Any
Assigned to: CPU Architecture:Any
Tags: MySQL

[18 Jul 20:00] Manoj Rajasekar
Description:
We are currently using the mysqljs/mysql Node.js library to connect to a MySQL database hosted in the AWS environment. The database version we use is 5.7.mysql_aurora.2.11.5.

To connect to the database, we establish an SSL connection. The current CA we use is “rds-ca-2019,” which is expiring on August 22, 2024. We need to upgrade the CA to "rds-ca-rsa2048-g1." However, during this upgrade, we encounter the following error: "Unable to get local issuer certificate."

Upon investigation, we found that the SSL options described in the mysqljs/mysql library documentation for "Amazon RDS" refer to a certificate bundle. The current bundle does not include the "rds-ca-rsa2048-g1" certificate, causing the error. The SSL option "Amazon RDS" points to an outdated bundle link: "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem." This link needs to be updated to the latest bundle provided by AWS for RDS instances: "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem."

Can the library be updated to use the latest bundle so we can upgrade the CA on the RDS instance without any issues? Thank you.

How to repeat:
Try connecting to a MySQL RDS instance from Node.js using an SSL connection using this library mysql ( for node js ) . If you set SSL to 'Amazon RDS' and attempt to establish a connection using the MySQL library from Node.js to an RDS instance that uses "rds-ca-rsa2048-g1" as the CA, it will fail with the following message: "Unable to get local issuer certificate."

Suggested fix:
Please update the reference under the SSL options for "Amazon RDS" ( in Mysql library: "https://github.com/mysqljs/mysql?tab=readme-ov-file#ssl-options" to point to the latest bundle used by RDS: "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" instead of the outdated "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" which lacks the certificate for the latest CA.
[19 Jul 8:39] MySQL Verification Team
Hi Mr. Rajasekar,

Thank you for your bug report.

However, MySQL 5.7 is not supported for quite a long time.

If you experience the same problems with 8.0 or higher versions, please create a new bug report.

Unsupported.