TLS Support
Readyset supports TLS encryption between itself and your upstream database out
of the box. To do this, Readyset must have access to the root certificate used
by your upstream database. Operating systems typically come with the root
certificates for some common certificate authorities already installed. If your
upstream database uses a different root certificate, then you must either
install that certificate (such that all applications on your system can use it
to verify certificates) or provide the root certificate file path directly to
Readyset via the --ssl-root-cert option.
The --ssl-root-cert option only supports a single certificate in the PEM or
DER format. It does not support bundles containing multiple certificates.
On macOS, providing the root certificate via the --ssl-root-cert option is
not supported, the Apple Security framework (used by Readyset to provide TLS
support) does not allow the use of untrusted certificates even when explicitly
provided.
Below are instructions for installing and trusting a new root certificate on supported platforms:
Readyset uses the system-provided OpenSSL package on Linux.
The following instructions are derived from the Ubuntu docs (opens in a new tab).
To install a new certificate, first download the certificate, then run the following:
# Change the extension to .crt, and if necessary, convert from DER to PEM format
# Place the output file in the appropriate system directory
sudo openssl x509 -outform pem -in $INFILE -out /usr/local/share/ca-certificates/$OUTFILE.crt
# Install the certificate
sudo update-ca-certificatesBelow are download links for the root certificates for supported cloud database providers:
The Amazon RDS global certificate bundle (opens in a new tab) includes root certificates for every AWS region.
Alternatively, only download the region-specific bundle(s) (opens in a new tab) you need.