如何配置Sequalize以使用新的AWS RDS根证书RDS-CA-2019

时间:2019-12-15 21:04:38

标签: node.js amazon-web-services ssl sequelize.js amazon-rds

随着AWS更改其针对rds服务2019的根ssl证书,2015年以来的旧证书将失去其有效期03/2020。参见https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

如何配置sequalize以使用新的rds-ca-2019证书?

// current sequalize aws rds configuration as of working with 2015 cert
var sequelizeConfig = {
  pool: {
    max: 10,
    min: 0,
    idle: 60000,
    port: 3306,
    host: mydomain.de,
    dialectOptions": {
      ssl: 'Amazon RDS'
    }
  },
}

我找不到使用sequalize 3.x

手动添加证书的任何选项

2 个答案:

答案 0 :(得分:3)

确保您更新到最新的节点mysql软件包,这将来可能会解决该问题。

截至目前,新的AWS rds-ca-2019 ca证书似乎尚未合并。 https://github.com/mysqljs/mysql/pull/2280

未经ca验证的临时修复程序:

var sequelizeConfig = {
  ...
  host: "xyz.rds.amazonaws.com",
  dialectOptions: {
    ssl: true
  }
}

并带有证书验证:

// get rds-ca-2019 certificate directly from aws https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem to ensure validity!!!
const fs = require('fs');
const rdsCa = fs.readFileSync(__dirname + '/rds-ca-2019-root.pem');

var sequelizeConfig = {
  ...
  host: "xyz.rds.amazonaws.com",
  dialectOptions: {
    ssl: {
      rejectUnauthorized: true,
      ca: [rdsCa]
    }
  }
}

thx @jarmod用于链接,而帖子"Best Security Practices for Amazon RDS with Sequelize" by soluto-nashville显示了解决方案

答案 1 :(得分:0)

我认为dialectOptions参数不应在pool内部定义,而应在外部定义。

像这样:

const sequelize = new Sequelize(dbname, username, password, {
  host: 'host name',
  dialect: 'mysql',
  dialectOptions: {
    ssl: 'Amazon RDS'
  },
  pool: {
    ...
  }
});

或类似这样:

const sequelize = new Sequelize(dbname, username, password, {
  host: 'host name',
  dialect: 'mysql',
  ssl: 'Amazon RDS'
  dialectOptions: {
    ...
  },
  pool: {
    ...
  }
});
相关问题
最新问题