Symptom
A Database Collector connection test to an AWS-hosted database, when performed while teleported to a hybrid worker, results in the error Database connection unsuccessful: unable to get local issuer certificate displayed in the Cribl UI.
Environment
- Stream
- Hybrid Worker
- Database Collector
- AWS Aurora (MySQL)
- TLS
Resolution
Obtain the Aurora CA bundle, upload the CA bundle to the worker group, add the Aurora CA bundle to each worker’s Node.js global trust store so the worker group globally trusts the CA and can establish TLS connections to the database endpoint.
- Obtain the Aurora CA bundle from AWS.
- Upload the CA bundle to the worker group: Products > Stream > Worker Groups > Click the worker group > Worker Group Settings > Security > Certificates > Enter the CA bundle details > Save > Commit & Deploy.
- Add the Aurora CA bundle to each worker’s Node.js global trust store via CLI (see here for more details):
sudo systemctl edit cribl.service- Add below replacing
file.pemwith the CA bundle .pem file produced at/opt/cribl/local/cribl/auth/certs/after step #2 is completed:[Service] Environment="NODE_EXTRA_CA_CERTS=/opt/cribl/local/cribl/auth/certs/file.pem" sudo systemctl daemon-reloadsudo systemctl restart cribl
- Test the connection again. You should not see the certificate error.
Cause
The hybrid workers do not trust the AWS CA until they are explicitly set to trust it, which prevents a TLS connection from successfully establishing. The Database Collector source cannot explicitly reference the CA .pem file, so the the .pem file must be added to the Node.js global store.
Last Validated
4.17.0
