亞馬遜RDS文檔(http://aws.amazon.com/rds/faqs/#53)規定:「亞馬遜RDS會爲每個[MySQL的]數據庫實例的SSL證書」 。我一直沒能找到有關如何查找證書的任何文件和證書是無處在管理控制檯中被發現。如何獲得的MySQL亞馬遜RDS證書的持有
哪裏有證書嗎?
亞馬遜RDS文檔(http://aws.amazon.com/rds/faqs/#53)規定:「亞馬遜RDS會爲每個[MySQL的]數據庫實例的SSL證書」 。我一直沒能找到有關如何查找證書的任何文件和證書是無處在管理控制檯中被發現。如何獲得的MySQL亞馬遜RDS證書的持有
哪裏有證書嗎?
我發現這裏的解決方案:https://forums.aws.amazon.com/thread.jspa?threadID=62110。從這裏
curl -O https://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem
mysql -uusername -p --host=host --ssl-ca=mysql-ssl-ca-cert.pem
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+------------+ | Variable_name | Value | +---------------+------------+ | Ssl_cipher | AES256-SHA | +---------------+------------+ 1 row in set (0.00 sec)
mysql> ALTER USER 'username'@'host|%' REQUIRE SSL
你可以得到AWS RDS來自AWS文檔指南本身的證書文件信息
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html
下載從這裏證書
https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
更新 - 亞馬遜更新了SSL證書,你可以從這裏下載它:http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
使用以下命令登錄到MySQL
[email protected]:/usr/src# mysql -h awssathish.xxyyzz.eu-west-1.rds.amazonaws.com -u awssathish -p --ssl-ca=mysql-ssl-ca-cert.pem
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 22
Server version: 5.6.13-log MySQL Community Server (GPL)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> GRANT USAGE ON *.* TO ‘awssathish’@’%’ REQUIRE SSL
Query OK, 0 rows affected (0.02 sec)
mysql>
mysql> show variables like "%ssl";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
2 rows in set (0.00 sec)
mysql>
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+------------+
| Variable_name | Value |
+---------------+------------+
| Ssl_cipher | AES256-SHA |
+---------------+------------+
1 row in set (0.01 sec)
mysql> exit
Bye
凡
awssathish.xxyyzz.eu-west-1.rds.amazonaws.com
是RDS的端點,
awssathish
是的用戶名RDS服務器
我用http://aws-blog.io/2016/rds-over-ssl/ 你甲肝e爲該地區獲取root pem和pem,並將2個文件合併爲一個。 https://s3.amazonaws.com/rds-downloads/rds-ca-2015-us-west-2.pem https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
和合並文件有一個RDS-CA-2015-US-西-2- bundle.pem文件。 使用--ssl-ca爲您的pem文件提供完整路徑。
對於那些可能遇到同樣問題的人,只要我有一個〜(例如〜/ Downloads/mysql-ssl-ca-cert.pem),我的.pem文件的路徑就會失敗。必須做--ssl_ca =/Users/myusername/Downloads/mysql-ssl-ca-cert.pem。錯誤〜was:錯誤2026(HY000):SSL連接錯誤:ASN:其他簽名確認無效 – jlpp
Amazon的證書在2015年4月4日過期,我看不到任何更新。如果有人有新的網址,請分享。 – igorsales
是的,我剛剛從此地址更新了證書:http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html –