flyway/flyway-docker

TLS Connections to AWS RDS Aurora MySQL

cajund opened this issue · 0 comments

cajund commented

Hello:

What is the best solution to connect with this container to an Aurora MySQL host using TLS?

I've settled on an entrypoint.sh approach, such as:

keytool -keystore /flyway/keystore -alias "AWS RDS Aurora" -noprompt -trustcacerts -storepass "myStorePassword" -importcert -file rds-combined-ca-bundle.pem
keytool -list  -keystore /flyway/keystore -storepass "myStorePassword"
export JAVA_ARGS='-Djava.security.egd=file:/dev/../dev/urandom -Djavax.net.ssl.trustStore="/flyway/keystore" -Djavax.net.ssl.trustStorePassword="myStorePassword"'

flyway $@

I run Flyway like this:

docker run --rm \
    -e FLYWAY_USER=$DB_USER \
    -e FLYWAY_PASSWORD=$DB_PASS \
    -v $(pwd)/rds-combined-ca-bundle.pem:/flyway/rds-combined-ca-bundle.pem \
    -v $(pwd)/build/entrypoint.sh:/flyway/entrypoint.sh \
    -v $(pwd)/db:/flyway/sql \
    --entrypoint=/flyway/entrypoint.sh \
    redgate/flyway:latest migrate \
    -url=$DB_URL \
    -locations=$LOCATIONS \
    -baselineOnMigrate="true"

The output from the entrypoint.sh script shows the cert is loaded up properly:

Certificate was added to keystore
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

aws rds aurora, May 3, 2024, trustedCertEntry, 
Certificate fingerprint (SHA-256): EB:BD:7E:AC:8B:02:17:12:95:35:ED:C5:2F:D6:D9:56:7D:42:4D:7E:B4:32:41:D8:35:26:FD:9C:46:6D:3F:40

But I can't seem to get past this error:

SQL State  : 08000
Error Code : -1
Message    : Could not connect to address=(host=db-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com)(port=3306)(type=master) : Could not connect to db-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com:3306 : No X509TrustManager implementation available

Caused by: java.sql.SQLNonTransientConnectionException: Could not connect to address=(host=flare-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com)(port=3306)(type=master) : Could not connect to flare-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com:3306 : No X509TrustManager implementation available

Caused by: java.sql.SQLNonTransientConnectionException: Could not connect to flare-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com:3306 : No X509TrustManager implementation available
Caused by: javax.net.ssl.SSLHandshakeException: No X509TrustManager implementation available
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available

Any suggestions?

Thanks.