How to use the go-mysql-driver with ssl on aws with a mysql rds instance

huangapple
go评论79阅读模式
英文:

How to use the go-mysql-driver with ssl on aws with a mysql rds instance

问题

我有一个在AWS上运行的RDS实例,我想知道如何通过SSL连接到该实例。

根据这个链接使用SSL连接mysql数据库,AWS会为我们的数据库设置一个证书,并提供根证书供下载。
AWS rds根证书

现在,go-mysql-driver在他们的文档中提供了设置SSL连接的信息。

rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("/path/ca-cert.pem")
if err != nil {
   log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
   log.Fatal("Failed to append PEM.")
}
clientCert := make([]tls.Certificate, 0, 1)
certs, err := tls.LoadX509KeyPair("/path/client-cert.pem", "/path/client-key.pem")
if err != nil {
   log.Fatal(err)
}
clientCert = append(clientCert, certs)
mysql.RegisterTLSConfig("custom", &tls.Config{
                         RootCAs: rootCertPool,
                         Certificates: clientCert,
                        })
db, err := sql.Open("mysql", "user@tcp(localhost:3306)/test?tls=custom")

示例表明我需要一个客户端证书和客户端密钥。

但是亚马逊只提供根证书。我如何使用它与go-mysql-driver连接到我的mysql实例?

英文:

I have a RDS instance running on AWS and I want to know how to connect to that instance over ssl.

From this link Using SSL with mysql database. AWS sets up our database registered with a certificate and provides the root certificate for download.
AWS rds root ca

Now the go-mysql-driver provides this information in there documentation to setup an ssl connection.

rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("/path/ca-cert.pem")
if err != nil {
   log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
   log.Fatal("Failed to append PEM.")
}
clientCert := make([]tls.Certificate, 0, 1)
certs, err := tls.LoadX509KeyPair("/path/client-cert.pem", "/path/client-    key.pem")
if err != nil {
   log.Fatal(err)
}
clientCert = append(clientCert, certs)
mysql.RegisterTLSConfig("custom", &tls.Config{
                         RootCAs: rootCertPool,
                         Certificates: clientCert,
                        })
db, err := sql.Open("mysql", "user@tcp(localhost:3306)/test?tls=custom")

The example indicates that I need a client certificate and client key.

But amazon only provides the root certificate. How can I use that with go-mysql-driver to connect to my mysql instance?

答案1

得分: 11

我会为你翻译以下内容:

我想在之前的回答中添加一条评论,但是我的声望还不够高。这段代码对我来说是有效的:

    rootCertPool := x509.NewCertPool()
    pem, err := ioutil.ReadFile("/path/ca-cert.pem")
    if err != nil {
       log.Fatal(err)
    }
    if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
       log.Fatal("Failed to append PEM.")
    }
    mysql.RegisterTLSConfig("custom", &tls.Config{
                             ServerName: "qcaurora.cb556lynvxio.us-east-1.rds.amazonaws.com",
                             RootCAs: rootCertPool,
                            })
    db, err := sql.Open("mysql", "user:pass@tcp(qcrds.example.com:3306)/databasename?tls=custom")

与上述代码相比,唯一的更改是添加了ServerName字段。我还对用于CNAME DNS条目和使用密码的地址字段进行了澄清。如果你不使用CNAME到RDS,可以省略ServerName字段。

我正在使用go 1.11和go-sql-driver/mysql版本v1.4.1。

英文:

I'd add a comment to the previous answer, but my reputation isn't high enough. This is working for me:

    rootCertPool := x509.NewCertPool()
    pem, err := ioutil.ReadFile("/path/ca-cert.pem")
    if err != nil {
       log.Fatal(err)
    }
    if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
       log.Fatal("Failed to append PEM.")
    }
    mysql.RegisterTLSConfig("custom", &tls.Config{
                             ServerName: "qcaurora.cb556lynvxio.us-east-1.rds.amazonaws.com",
                             RootCAs: rootCertPool,
                            })
    db, err := sql.Open("mysql", "user:pass@tcp(qcrds.example.com:3306)/databasename?tls=custom")

The only change from the above is the addition of the ServerName field. I've also clarified the address field for use with a CNAME dns entry and using a password. If you don't use a CNAME to RDS, you could leave out the ServerName field.

I'm using go 1.11 with go-sql-driver/mysql version v1.4.1.

答案2

得分: 4

根据这里、这里和这里的文档,看起来你只需要将RootCAs的值设置为你从AWS获取的根证书。由于你没有使用客户端证书,所以不需要设置Certificates的值。所以代码应该类似于:

rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("/path/ca-cert.pem")
if err != nil {
   log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
   log.Fatal("Failed to append PEM.")
}
mysql.RegisterTLSConfig("custom", &tls.Config{
                         RootCAs: rootCertPool,
                        })
db, err := sql.Open("mysql", "user@tcp(localhost:3306)/test?tls=custom")
英文:

From looking at the docs here and here and here, it looks like you simply need to set the RootCAs value to the root certificate you obtained from AWS. You don't need to set the Certificates value since you aren't using a client cert. So the code would look something like:

rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("/path/ca-cert.pem")
if err != nil {
   log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
   log.Fatal("Failed to append PEM.")
}
mysql.RegisterTLSConfig("custom", &tls.Config{
                         RootCAs: rootCertPool,
                        })
db, err := sql.Open("mysql", "user@tcp(localhost:3306)/test?tls=custom")

huangapple
  • 本文由 发表于 2017年2月11日 00:06:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/42163732.html
  • amazon-web-services
  • go
  • mysql
  • ssl
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定