Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

nutickets's avatar

How to connect to MySQL RDS Proxy via SSL in Laravel

Having some difficulty connecting to an RDS Proxy that has the "Require Transport Layer Security" enabled.

Wondering if anyone can save me some time here?

Note: I'm able to connect via SSL if I skip the proxy and go directly to the underlying RDS instance by pointing PDO::MYSQL_ATTR_SSL_CA to a cert downloaded from https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html:

'mysql' => [
            // ...
            'options' => extension_loaded('pdo_mysql') ? array_filter([
                    PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_CERT'),
            ]) : [],
        ],

Using that same cert via the proxy results in an error:

SQLSTATE[HY000] [2002] Cannot connect to MySQL using SSL.

Removing the cert gives me

SQLSTATE[HY000] [3159] This RDS Proxy requires TLS connections

I can connect via SSL to the proxy (without a cert) in a GUI using ssl_mode=PREFERRED so that's a clue on what to do, just not sure how to get there with laravel?

Side note: AWS Docs states:

RDS Proxy uses certificates from the AWS Certificate Manager (ACM). If you are using RDS Proxy, you don't need to download Amazon RDS certificates or update applications that use RDS Proxy connections.

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To connect to a MySQL RDS Proxy via SSL in Laravel, you need to configure your database connection settings properly in the config/database.php file. Since you mentioned that you can connect via SSL to the proxy using ssl_mode=PREFERRED, you can set the appropriate PDO options in Laravel to achieve this.

Here's how you can configure your Laravel application to connect to the MySQL RDS Proxy with SSL:

  1. Download the SSL Certificate: Ensure you have the SSL certificate from AWS. You can download it from the AWS RDS SSL documentation.

  2. Store the Certificate: Place the downloaded certificate in a secure location within your Laravel project, for example, in the storage directory.

  3. Update Environment Variables: Add the path to the certificate in your .env file.

    DB_CONNECTION=mysql
DB_HOST=your-rds-proxy-endpoint
DB_PORT=3306
DB_DATABASE=your-database-name
DB_USERNAME=your-username
DB_PASSWORD=your-password
MYSQL_ATTR_SSL_CA=/path/to/your/certificate.pem

  4. Configure Database Connection: Update the config/database.php file to include the SSL options. You can use the PDO::MYSQL_ATTR_SSL_CA attribute to specify the certificate and set the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false if you want to disable server certificate verification.

    'mysql' => [
    'driver' => 'mysql',
    'host' => env('DB_HOST', '127.0.0.1'),
    'port' => env('DB_PORT', '3306'),
    'database' => env('DB_DATABASE', 'forge'),
    'username' => env('DB_USERNAME', 'forge'),
    'password' => env('DB_PASSWORD', ''),
    'unix_socket' => env('DB_SOCKET', ''),
    'charset' => 'utf8mb4',
    'collation' => 'utf8mb4_unicode_ci',
    'prefix' => '',
    'strict' => true,
    'engine' => null,
    'options' => extension_loaded('pdo_mysql') ? array_filter([
        PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'),
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
    ]) : [],
],

  5. Test the Connection: After updating the configuration, test the connection by running a database query or using Laravel's artisan command to ensure that the connection is established successfully.

    php artisan migrate

By following these steps, you should be able to connect to your MySQL RDS Proxy via SSL in Laravel. If you encounter any issues, double-check the certificate path and ensure that the RDS Proxy endpoint and credentials are correct.

nutickets's avatar
nutickets
OP
1 year ago
Best Answer
Level 8

Just as I posted this, figured out the problem. To tell Laravel to use ssl_mode PREFERRED, we need PDO::MYSQL_ATTR_SSL_CA to be set to null -- but the wrapping array_filter was removing that key (which our AI friend above did not pick up on!).

And then in addition to that, because RDS Proxy manages certs, I needed to set PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false.

Final working solution:

'mysql' => [
    // ..
    'options' => extension_loaded('pdo_mysql') ? [
        PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'),
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
    ] : [],
],

Thank you Laracasts for being my rubber duck

4 likes

Please or to participate in this conversation.