Can not connect to amazon RDS from spring boot container app

Question

I want to dockerization all our Spring Boot services, but stack on the issue with connection to the Amazon RDS Aurora MySQL.

The issue is with the communication to the Amazon RDS instance. The weird thing is that if I run the service.jar file using the java command java -jar service.jar everything works as expected. Stack trace of the error:

Caused by: com.mysql.cj.exceptions.CJCommunicationsException: Communications link failure

The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_292]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_292]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_292]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_292]
        at com.mysql.cj.exceptions.ExceptionFactory.createException(ExceptionFactory.java:61) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.exceptions.ExceptionFactory.createException(ExceptionFactory.java:105) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.exceptions.ExceptionFactory.createException(ExceptionFactory.java:151) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.exceptions.ExceptionFactory.createCommunicationsException(ExceptionFactory.java:167) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:340) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.protocol.a.NativeAuthenticationProvider.connect(NativeAuthenticationProvider.java:167) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.protocol.a.NativeProtocol.connect(NativeProtocol.java:1348) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.NativeSession.connect(NativeSession.java:157) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:956) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:826) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        ... 165 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171) ~[na:1.8.0_292]
        at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98) ~[na:1.8.0_292]
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220) ~[na:1.8.0_292]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428) ~[na:1.8.0_292]
        at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:317) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:188) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:97) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:331) ~[mysql-connector-java-8.0.22.jar!/:8.0.22]
        ... 170 common frames omitted

My docker file looks like this:

FROM openjdk:8
ARG app_name

ENV version /
ENV build /

COPY ./target/${app_name}.jar ./app.jar

CMD ["java", "-Dserver.port=80","-Dproject.version=${version}", "-Dbuild.number=${build}", "-jar", "./app.jar"]

The application properties have next data:

# Hibernate ddl auto (create, create-drop, update)
spring.jpa.hibernate.ddl-auto=validate
spring.jpa.properties.hibernate.show-sql=true
spring.jpa.properties.hibernate.use-sql-comments=true
spring.jpa.properties.hibernate.format-sql=true
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect
#MySQL DIALECT
spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
spring.datasource.tomcat.test-on-borrow=true
spring.datasource.tomcat.validation-query=SELECT 1
spring.datasource.url=jdbc:mysql://aws_rds:3306/service_db?serverTimeZone=UTC&useSSL=false
spring.datasource.username=@database.username@
spring.datasource.password=@database.password@
spring.datasource.initialization-mode=always
spring.datasource.hikari.maximum-pool-size=5
# Flyway
spring.flyway.locations=classpath:db/migration
spring.flyway.check-location=true
spring.flyway.validate-on-migrate=false
spring.flyway.out-of-order=true
spring.flyway.table=schema_version

What I miss in the docker?

Answer 1

Not Recommended for production

you can disable ssl check by adding --ssl=0 command to your mysql docker-compose.yml e.g

version: '3.3'
services:
 mysql:
  image: mysql:5.7
  command: --ssl=0
  volumes:
    - ./data:/var/lib/mysql
  restart: always
  environment:
    MYSQL_ROOT_PASSWORD: yourPassword
  ports:
    - "3306:3306"

Answer 2

Most likely openjdk:8 base Docker image that you used doesn't support TLS version required by AWS Aurora. You have to review which TLS version is allowed by your AWS Aurora and then make sure that Java installed in your Docker image supports it. You can take a look at this answer or this answer.

Please note that recently, in April 2021, Java™ SE Development Kit 8, Update 291 (JDK 8u291) changed allowed TLS versions:

➜ Disable TLS 1.0 and 1.1

TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.