You can specify some mysql2 SSL parameters through the DATABASE_URL configuration. They will be added as dynamic database.yml elements that are generated during the Heroku build process, and therefore they will be passed in when mysql2 connections are created.
The only parameter you need to pass for this is sslca (not to be confused with sslcapath ).
1. Download the Amazon RDS CA certificate and add it to your application.
(Edit) Amazon will rotate this certificate in March 2015. Instead, you will need a new file from this page.
curl https://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem > ./config/amazon-rds-ca-cert.pem
2. Add the file to git and reinstall it on Heroku.
3. Change DATABASE_URL to pass sslca :
heroku config:add DATABASE_URL="mysql2://username: password@hostname /dbname?sslca=config/amazon-rds-ca-cert.pem -a <app_id>
The relative path there is important - see below.
What is it! Now that SSL is working for you, you can require that all connections with this user only allow SSL:
GRANT USAGE ON dbname.* TO 'username'@'%' REQUIRE SSL;
Troubleshooting
Be sure to pass the relative path to sslca ! Otherwise, rake assets:precompile may fail with an SSL error. If you receive an error message:
SSL connection error: ASN: bad other signature confirmation
or even just:
SSL connection error
... then, probably, something is wrong as it refers to the CA certificate file.