https://www.ory.sh/ logo
Join Slack
Powered by
Hi everyone, I've a self serve kratos and keto run...
# ory-selfhosting
b
Hi everyone, I've a self serve kratos and keto running them in a EKS cluster. My DSN is
Copy code
DSN=<mysql://admin:htyXXXXXXXXXXXXXXXXXXXXSu@tcp>(<http://xyzxyzxyz.us-west-2.rds.amazonaws.com:3306|xyzxyzxyz.us-west-2.rds.amazonaws.com:3306>)/users?tls=true
MySQL hosted as RDS in AWS. I want to enable TLS/SSL encrypted connection b/n my keto and kratos pods and the MySQL instance in AWS The error I'm getting when enable TLS via 
tls=true
as suggested by the documentation here: https://www.ory.sh/docs/self-hosted/deployment#mysql is:
Copy code
time=2024-03-08T04:45:39Z level=debug msg=Connecting to SQL Database func=<http://github.com/ory/kratos/driver.(*RegistryDefault).Init.func1|github.com/ory/kratos/driver.(*RegistryDefault).Init.func1> file=/project/driver/registry_default.go:641 audience=application connMaxLifetime=0s idlePool=2 pool=4 service_name=Ory Kratos service_version=v1.1.0
time=2024-03-08T04:45:40Z level=warning msg=Unable to ping database, retrying. func=<http://github.com/ory/x/logrusx.(*Logger).Logf|github.com/ory/x/logrusx.(*Logger).Logf> file=/go/pkg/mod/github.com/ory/x@v0.0.614/logrusx/helper.go:125 audience=application error=map[message:tls: failed to verify certificate: x509: certificate signed by unknown authority stack_trace:
...
Any clue what I'm doing wrong? I have AWS global-bundle.pem keys but I have no idea how I can pass these to the Kratos or Keto. Any help will be appreciated!
i
Have you added the AWS CA certificate bundles to your trust store? (/etc/ssl/certs or alike?) Not sure however whether keto is shipped with certificates at all.
b
Hi Dimitrij, I installed the AWS global-bundle.pem under the trust store and it still fails to validate. Any idea how or where is the code for Keto/Kratos that parses the connection string for MySQL? I can just look at what the parser expects and try to reverse engineer it 🙂
I'd assume you can pass the location of the certs to be used as part of your MySQL connection string
i
Did it actually work with mounting of the AWS bundle to /etc/ssl/certs/ca-certificates.crt in the container?
b
Last week we had a bunch of other issues, and because this is on a private net, we postpone it. Will be trying it today or tomorrow to get it done. Regeneration of the certs didn't like the all the certs being in one file. It wants them into separate files.... and I have like 20 certs from AWS 🙂
This command 
update-ca-certificates --fresh
that is
4 Views
Open in Slack
PreviousNext
Powered by