Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws rds mysql] Error: P1001 Can't reach database server using ssl connect

See original GitHub issue

Bug description

Running prisma introspect returns the following error:

Error: P1000

Authentication failed against database server at `xxxxx.rds.amazonaws.com`, the provided database credentials for `USER` are not valid.

Please make sure to provide valid database credentials for the database server at `xxxxx.rds.amazonaws.com`.

Debugging Steps Taken

successfully ssl connected (and can query) using DBeaver (a SQL client tool) with the same credentials, host, port, database name, and CA cert.
successfully (non-ssl) connected to and ran prisma introspect against a Docker image of a mysql-employees sample database (found here).

I originally posted similar details in a Q&A Discussion post here.

How to reproduce

Attempt 1

move CA cert to ./prisma dir
add DATABASE_URL="mysql://USER:PASSWORD@xxxxx.rds.amazonaws.com:3306/DATABASE&sslcert=server-ca-cert.pem" to .env file.
prisma introspect

Attempt 2

create a pkcs12 file following instructions here
move pkcs12 file to ./prisma dir
add DATABASE_URL="mysql://USER:PASSWORD@xxxxx.rds.amazonaws.com:3306/DATABASE&sslidentity=keyStore.p12&sslpassword=SSLPASS&sslcert=server-ca-cert.pem" to .env file.
prisma introspect

Attempt 3

create a pkcs12 file using the exact steps listed in Issue #2676
add DATABASE_URL="mysql://USER:PASS@xxx.rds.amazonaws.com:3306/DATABASE&sslidentity=client-identity.p12&sslpassword=SSLPASS&sslcert=server-ca-cert.pem" to .env file.
prisma introspect

Attempt 4

add DATABASE_URL="mysql://USER:PASS@xxx.rds.amazonaws.com:3306/DATABASE to .env file.
prisma introspect

They all result in the same Error: P1000 Authentication failed error.

Expected behavior

A successful prisma introspect run.

❯ prisma introspect
Environment variables loaded from .env
Prisma schema loaded from prisma/schema.prisma

Introspecting based on datasource defined in prisma/schema.prisma …

✔ Introspected x models and wrote them into prisma/schema.prisma in xxxms
      
Run prisma generate to generate Prisma Client.

Prisma information

/prisma/schema.prisma:

// This is your Prisma schema file,
// learn more about it in the docs: https://pris.ly/d/prisma-schema

datasource db {
  provider = "mysql"
  url      = env("DATABASE_URL")
}

generator client {
  provider = "prisma-client-js"
}

.env:

# Environment variables declared in this file are automatically made available to Prisma.
# See the documentation for more detail: https://pris.ly/d/prisma-schema#using-environment-variables

# Prisma supports the native connection string format for PostgreSQL, MySQL and SQLite.
# See the documentation for all the connection string options: https://pris.ly/d/connection-strings

DATABASE_URL="mysql://USER:PASSWORD@xxxxx.rds.amazonaws.com:3306/DATABASE&sslcert=server-ca-cert.pem

Environment & setup

OS: Mac OS Catalina 10.15.6
Database: MySQL (Amazon RDS)
Node.js version: 14.15.4
Nestjs version: 7.5.4
Prisma version:

@prisma/cli          : 2.13.1
@prisma/client       : 2.14.0
Current platform     : darwin
Query Engine         : query-engine fcbc4bb2d306c86c28014f596b1e8c7980af8bd4 (at ../../../../../.nvm/versions/node/v14.15.4/lib/node_modules/@prisma/cli/node_modules/@prisma/engines/query-engine-darwin)
Migration Engine     : migration-engine-cli fcbc4bb2d306c86c28014f596b1e8c7980af8bd4 (at ../../../../../.nvm/versions/node/v14.15.4/lib/node_modules/@prisma/cli/node_modules/@prisma/engines/migration-engine-darwin)
Introspection Engine : introspection-core fcbc4bb2d306c86c28014f596b1e8c7980af8bd4 (at ../../../../../.nvm/versions/node/v14.15.4/lib/node_modules/@prisma/cli/node_modules/@prisma/engines/introspection-engine-darwin)
Format Binary        : prisma-fmt fcbc4bb2d306c86c28014f596b1e8c7980af8bd4 (at ../../../../../.nvm/versions/node/v14.15.4/lib/node_modules/@prisma/cli/node_modules/@prisma/engines/prisma-fmt-darwin)
Studio               : 0.329.0

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:30 (7 by maintainers)

Top GitHub Comments

10reactions

pimeyscommented, Mar 1, 2021

@gevuong The default was wrong in the docs and has been changed in the version 2.17.0. What happened here is that most of the cloud database providers will not give you a valid and signed certificate due to you not having a public hostname for the server. Now, originally we took an approach to be explicitly secure, and not allow certificates that are not valid. Because, well, it’s kind of not that secure to use those certs, you’re never sure are you actually talking to the right database!

But then again, the only cloud database that actually has valid certificates is Microsoft with their Azure SQL offering, everybody else just uses self-signed certs. Therefore our PostgreSQL and MySQL connectors both now by default accept self-signed certificates from version 2.17.0 forwards. If you’re using an older version, you might want to set sslaccept=accept_invalid_certs in your connection string.

5reactions

gevuongcommented, Mar 1, 2021

Hi @pantharshit00,

Per #2676, i tried sslaccept=accept_invalid_certs instead of sslmode=require and it worked!

Although the prisma docs state the sslaccept is not required and that the default is accept_invalid_certs, I had to explicitly add the argument to get it to work. Otherwise I will get Can't reach database server at ....

@dhanish2k maybe this will address the error you see in postgres?

Anyhow, thanks for your help and for everyone’s contribution to this thread!