You can specify some mysql2 SSL parameters through the DATABASE_URL
configuration. They will be added as dynamic database.yml
elements that are generated during the Heroku build process, and therefore they will be passed in when mysql2 connections are created.
The only parameter you need to pass for this is sslca
(not to be confused with sslcapath
).
1. Download the Amazon RDS CA certificate and add it to your application.
(Edit) Amazon will rotate this certificate in March 2015. Instead, you will need a new file from this page.
curl https://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem > ./config/amazon-rds-ca-cert.pem
2. Add the file to git and reinstall it on Heroku.
3. Change DATABASE_URL
to pass sslca
:
heroku config:add DATABASE_URL="mysql2://username: password@hostname /dbname?sslca=config/amazon-rds-ca-cert.pem -a <app_id>
The relative path there is important - see below.
What is it! Now that SSL is working for you, you can require that all connections with this user only allow SSL:
GRANT USAGE ON dbname.* TO 'username'@'%' REQUIRE SSL;
Troubleshooting
Be sure to pass the relative path to sslca
! Otherwise, rake assets:precompile
may fail with an SSL error. If you receive an error message:
SSL connection error: ASN: bad other signature confirmation
or even just:
SSL connection error
... then, probably, something is wrong as it refers to the CA certificate file.
source share