Skip to content

ERR_TLS_CERT_ALTNAME_INVALID error when using CNAME as host name for RDS connection #2172

New issue
New issue
Open
#2295
Open
ERR_TLS_CERT_ALTNAME_INVALID error when using CNAME as host name for RDS connection#2172
#2295
@pawelusfr

Description

@pawelusfr
pawelusfr
opened on Aug 14, 2023

We have a CNAME set in Route53 for our RDS cluster. When using that CNAME as host for MySQL connection we are getting ERR_TLS_CERT_ALTNAME_INVALID error (Hostname/IP does not match certificate's altnames).

SSL option in configuration is set to ssl: 'Amazon RDS'.

This is because the certificate from RDS doesn't have the CNAME listed as altname and AFAIK there is no way to do that in RDS.

This was working fine in mysql2 3.5.0 and broke in 3.5.1 with #2119 and the switch to Tls.connect.

Activity

sidorares

sidorares commented on Aug 15, 2023

@sidorares
sidorares
on Aug 15, 2023
Owner

Are you able to connect if you set rejectUnauthorized to false?

Is the error coming from

node-mysql2/lib/connection.js

Lines 375 to 377 in 48c2b8d

if (serverIdentityCheckError) {
onSecure(serverIdentityCheckError);
return;
or from

node-mysql2/lib/connection.js

Line 385 in 48c2b8d

if (secureEstablished) {
?

sidorares

sidorares commented on Aug 15, 2023

@sidorares
sidorares
on Aug 15, 2023
Owner

Maybe we need to add SNICallback to handle your scenario

pawelusfr

pawelusfr commented on Aug 16, 2023

@pawelusfr
pawelusfr
on Aug 16, 2023
Author

Yes I can connect with rejectUnauthorized: false.

The error is coming from

node-mysql2/lib/connection.js

Line 385 in 48c2b8d

if (secureEstablished) {

One possible workaround would be allowing to pass custom checkServerIdentity function to Tls.connect() (I did a quick check and it will connect if that custom function allows it). This way clients could write their own identity handling for such cases (I believe that's what e.g. pg allows for Postgres).
Though it couldn't be used in conjunction with ssl: 'Amazon RDS' as one would have to pass an object to ssl. That means the client would need a string version of the Amazon certs. Maybe you could add an export of it from mysql2 for such cases?

sidorares

sidorares commented on Aug 16, 2023

@sidorares
sidorares
on Aug 16, 2023 · edited by sidorares
Owner

I'm actually thinking to deprecate "Amazon RDS" and move it to a separate package, something along the line

import amazonRdsSslProfile from "amozon-rds-certs";  // package name TBD


const conn = mysql.createConnection({
   ssl: {
      ...amazonRdsSslProfile,
      checkServerIdentity: () => null,
   }
}

Maybe you could add an export of it from mysql2 for such cases?
I'd rather go with separate package, not worth exporting if there is a plan to deprecate built in buntle

What needs to be done:

  • publish a "rds profile only" package ( with updated certs from Update Amazon RDS SSL CA cert #2131
  • use a "rds profile only" package as a dependency
  • add a warning when "Amazon RDS" string is passed as ssl parameter, with instructions on how to switch to external package ( minor version )
  • remove "rds profile only" package dependency, throw an error when "Amazon RDS" string is passed as ssl parameter, with instructions on how to switch to external package ( major version )
sidorares

sidorares commented on Aug 16, 2023

@sidorares
sidorares
on Aug 16, 2023
Owner

@dougwilson wdyt about above, with profile repo under mysqljs org, and mysqjs/mysql referencing it in a similar way ( with similar deprecation steps )

sidorares
mentioned this on Aug 17, 2023
dougwilson

dougwilson commented on Sep 15, 2023

@dougwilson
dougwilson
on Sep 15, 2023
Collaborator

Hi @sidorares that ia a good idea! Sorry I was away, but I am just getting back now and replying to issues 😅. I'll actually set it up here this weekend. I figure it just is an export of the list in the same format Node.js accepts, of course.

jonasduever
mentioned this on Sep 27, 2023
brandonjfeldkamp
linked a pull request that will close this issue on Nov 22, 2023
wellwelwel
mentioned this on Jan 13, 2024
juanheyns
mentioned this on Jan 17, 2024
ksze

ksze commented on May 8, 2025

@ksze
ksze
on May 8, 2025

Any update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @dougwilson@sidorares@ksze@pawelusfr

      Issue actions
        ERR_TLS_CERT_ALTNAME_INVALID error when using CNAME as host name for RDS connection · Issue #2172 · sidorares/node-mysql2