Can't Access AWS RDS Instance after Upgrade - mysql

Just upgraded my MySQL RDS instance from the free-tier db.t2.micro to an db.r3.large. Same storage, same security groups, same user groups/credentials, same VPC, same endpoint name, same everything.
I was previously able to access this same instance remotely through MySQL workbench before the upgrade, and according to AWS my endpoint location has not changed.
The error message received:
Can't connect to MySQL server on 'blahblah.rds.amazonaws.com' (10060)
I've tried restarting several times. Ensured by security group allowed inbound TCP access on port 3306 for both 0.0.0.0/0 and ::/0
What else could be wrong?

You probably need to restart the MySQL workbench, not reboot the RDS.
As I described here, the database handles have changed, but the code doesn't notice. So the MySQL workbench is using outdated handles that are being rejected.

Related

Lightsail instance connection to Lightsail database is unreliable

I have a web app running on Lightsail instances stacked with LAMP (PHP 7/MariaDB 10 service). When I want to connect the instances to a Lightsail database instead of localhost, it works sporadically. The front end reads "cannot connect to MySQL database" and in the database server log I read : [MY-010055] [Server] IP address 'xxx.xxx.xxx.xxx' could not be resolved: Name or service not known" where the IP is the private IP address of my instance.
My instances and database are in the same region. Even though it is not necessary I have tried enabling VPC peering and opening the db to the public.
I can connect to the database using the command line tool: mysql -u uuuu -p -h hhhhh (ie: it is not a problem with entering the wrong credentials)
The web app seems to work with the dedicated Lightsail db server when I am the only one using it and until I open it to more traffic, then I get the connection error.
I have increased the number of max_connections from 65 to 500 using the aws CLI (localhost is 150). My current traffic is 2000 visitors per day.
aws lightsail update-relational-database-parameters --relational-database-name Database-1 --parameters "parameterName=max_connections,parameterValue=500,applyMethod=immediate"
Localhost is Mariadb 10, dedicated database server is MySQL 8
SSL is handled by Cloudflare. There's no SSL on my instance.
I don't want to keep using localhost dbs, I want to centralize my data in a dedicated database.
Does anyone know how to handle this problem?

SSL connection error when trying to connect to mysql Aurora via the mysql CLI

I will preface by saying I can connect to the DB instance when I'm not trying to go over SSL.
I am following this guide here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html
I have ensured the db instance is public facing.
The security group of the VPC has the following rules:
Type Protocol Port Range Source
MySQL/Aurora (3306) TCP (6) 3306 my_ip_address/32
MySQL/Aurora (3306) TCP (6) 3306 sg-security_group_name
Where the security_group_name is the security group for my EC2 cluster.
I am using the cluser endpoint of my aurora cluster. And I've removed the port. I installed mysql on my machine using homebrew. This is the command I am trying from my local machine (macbook):
mysql -h blah-database-cluster.cluster-dfgdgfd.us-east-1.rds.amazonaws.com --ssl-ca=rds-ssl-ca-cert.pem --ssl-verify-server-cert
Where rds-ssl-ca-cert.pem is the file I downloaded from here:
http://s3.amazonaws.com/rds-downloads/rds-ssl-ca-cert.pem
I get the error:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
I have tried creating a new instance, rebooting etc and no joy. Does my security group need some kind of https rule?
Edit:
Further clue. When I run mysql --ssl locally it doesn't error. But when I do mysql show_variables, it says SSL false and the have_ssl and have_open_ssl variables don't exist. Could this be the problem? I installed the local mysql via homebrew package manager for mac.
New edit:
I re-installed mysql (previously from brew) and now direct from oracle and when I try to connect it gives a different error - SSL connection error: ASN: bad other signature confirmation
At present the AWS Aurora documentation is linking to an out of date SSL certificate to use, hence the problem. This has been confirmed by the AWS support staff. Use this instead: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Even when using that certificate, connecting to the cluster end-point over SSL still doesn't work for the command line using mysql -h connection. If I change from the cluster end-point to the instance end-point strangely it works.
Bizarrely, mysql workbench does connect over ssl, both to the instance end-point AND the cluster-end point.
Use mysql with --skip-ssl option if you not using SSL.If nothing helps upgrade your mysql client
From the docs it appears the restriction to the instance endpoint for SSL connections is a security constraint associated with the certificate.
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. As a result, you cannot use the DB cluster endpoint to connect to the primary instance of the DB cluster using SSL.
FYI
please try using this key as well (from Amazon docs)
https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
For me I had to use:
mysql --ssl-mode=DISABLED -u [USER] -p[PASSWORD] -h [HOST] [DB]

Unable to connect to MySQL AWS RDS instance from local MySQL

I have created an MySQL RDS instance with VPC. Now i am trying to connect to that RDS instance from my Ubuntu 12.04 machine using MySQL client by following code:
mysql -u uname -h test.c6tjb4nxvlri.us-west-2.rds.amazonaws.com -P 3306 -p
But i am getting this error:
ERROR 2003 (HY000): Can't connect to MySQL server on 'test.c6tjb4nxvlri.us-west-2.rds.amazonaws.com' (110)
I searched about this error and everywhere solution came out like
Go to the Instances
Find the security group
Change the inbound rules of that security group by
Adding source of user machine public ip or
Set source ip as 0.0.0.0/16
I tried everything but still same error occures. Any explanations?
The problem was in subnet. Subnet that you created must be publicly accessible.
In On-premises MySQL Workbench, use TCP/IP SSH Tunneling option. Make sure you have EC2 instance endpoint and keypair file.
In SSH endpoint - add your EC2 instance endpoint and for SSH password, browse your keypair. Rest of configurations for MySQL. Like MySQL's endpoint, username, password, port and schema name.
Test your connection it will return success. If not, check RDS Security group. In Security group, you open MySQL port for all IP address. Try it! it will work. Once connection was success, all schema are visible in MySQL Workbench.
RDS DB instance need not to be in public subnet and it is not best practice to do. Always keep RDS DB instance in private subnet and open traffic for EC2 instance.
When you use TCP/IP SSH Tunneling, request traffic will send through EC2 instance to RDS DB instance.
HTH.

Connect to RDS from VPS

I am trying to transfer an existing mysql database that is located on my VPS to AWS RDS.
I have RDS set up and I am able to connect to the server just fine by connecting to one of my ec2 instances through ssh and using this command:
mysql -uuser -p -hxx.xx.us-west-2.rds.amazonaws.com
However, when I try to connect from my VPS (through ssh) I receive an ERROR 2003, which I believe is permission denied.
It doesn't seem to matter how I set my security group. I set the inbound to allow port 3306 from my server ip and that did not work, I even tried allowing all traffic on all ports from anywhere on my inbound rules and I still am unable to connect. The outbound has always been completely open.
If anyone can see anything that I am missing I would really appreciate some help.
Thanks.
Make sure your RDS instance is set to public if you want to access it externally. If in fact it's not publicly accessible then you'll need to recreate your instance and import your data, or take a snapshot and rebuild your RDS instance from the snapshot.
You only have ONE chance to modify it and that is at instance creation.
If you do this then make sure you security group only allows from a specific IP address or if you're using MySQL workbench rather use a SSH tunnel using SSH keys via an EC2 instance.
Is user a user you created manually in your RDS, or is it the admin user that was created when you created the instance? If the former, then make sure you have granted access to that user from your remote VPS.
Also, from your VPS, make sure you can open a TCP connection to the database. Try:
$ nc -v -z xx.xx.us-west-2.rds.amazonaws.com 3306
If the connection succeeds here but you still can't connect with the mysql CLI, you have a problem with the username/password/database connection info.

"Can't connect to MySQL server", only when client is remote server

I'm having a weird problem where I can connect to a certain database server from my local machine (and my friend can also connect to the database server from his local machine) but we can't connect to the database server from his AWS server.
What I get on the AWS server is:
"Can't connect to MySQL server on '<IP address>' ".
It's not as if the database server is only allowing connections from certain IP addresses; it didn't know about my IP address before I tried to connect.
Any idea what could be different about my AWS machine that could be making the connection not work?
Is the MySQL server inside the same network as the local machines? If so, it might explain why local machines can connect but the remote AWS can not.
By default, MySQL disables all remote connections. You can check if the remote connections are enabled. It could also be an issue with port block. MySQL uses port 3306 by default. Either MySQL or the AWS might not be configured to send data through the firewall on port 3306.
Here is a decent article explaining how to open these things up.
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html