Getting Mysql2::Error (SSL connection error: ASN: bad other signature confirmation) on Heroku App with AWS RDS

Question

Mysql2::Error (SSL connection error: ASN: bad other signature confirmation):

I am making an administration site. The environment is Rails 4.2 and Ruby 2

Answer 1

For me, this had to do with the RDS SSL Certificate Rotation that happened on April 3rd, 2015.

However, in my case, just using the root certificate did not work, and I had to use a intermediate certificate for my region as well. Details:

1. Go into the AWS rds console and reboot your RDS instance.

2. Download the new root certificate https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem. Put it into the config directory of your app.

3. Download the intermediate certificate for your database region here. I had to use the US east one, but you will have to pick the one for your region.

4. This is the key step. You need to combine the intermediate certificate and the root certificate into one file so that the intermediate certificate is above the root certificate, forming a certificate chain. Open the intermediate certificate using a text editor, copy its contents, and paste them into config/rds-ca-2015-root.pem, on top, above the root cetrtificate. So, after you are done, config/rds-ca-2015-root.pem should be the intermediate certificate followed by the root certificate, all in this file.

5. Get your current database url heroku config and then look for the DATABASE_URL property

6. Update your database URL to use the new certificate file. All you should have to change is the name of the certificate (since its now called rds-ca-2015-root.pem)
   heroku config:add DATABASE_URL="mysql2://DB_NAME:DB_PASSWORD@DB_URL/DB_NAME?sslca=config/rds-ca-2015-root.pem"

7. Commit the changes and redeploy to Heroku. Good luck!

Answer 2

Four years later (2019) and AWS are rotating CA certs again, as expected.

RDS users are recommended to switch from the 2015 cert to the 2019 cert by 2019-11-01, and "no later than" 2020-02-05. The 2015 certificates expire on 2020-03-05.

I used the following procedure, based on RDS' Rotating Your SSL/TLS Certificate guide.

1. Schedule downtime
2. Download new certificates, save in config
   • Only the root cert is needed: rds-ca-2019-root.pem
   • The instructions mention a 2015+2019 bundle, but I couldn't find it. This file is 2019 only.
   • Region-specific intermediate certs are not needed
3. Commit, but don't deploy yet
4. heroku maintenance:on
5. In RDS web console, modify server
   • In the Network & Security section, choose rds-ca-2019
   • Apply changes immediately
6. Scale dynos down to 0
7. heorku config:set DATABASE_URL=mysql2://myuser:mypassword@myhost.rds.amazonaws.com/mydb?sslca=config/rds-ca-2019-root.pem
8. Deploy
9. Scale dynos up, watch logs
10. heroku maintenance:off

There are many reasonable variations on this procedure, this is just what worked for me. Hope it helps.