Using amazon RDS with WordPress over SSL
Had the same question. Thankfully some other folks had proposed a reasonable solution here: https://core.trac.wordpress.org/ticket/28625. End-to-end, here's what I did to get SSL working:
1. Add the following to the wordpress wp-includes/wp-db.php file. (except the last 2 lines which are just for insertion point reference)
//ADDED per https://core.trac.wordpress.org/ticket/28625// call set_ssl if mysql client flag set and settings availableif ( $client_flags & MYSQL_CLIENT_SSL ) { $pack = array( $this->dbh ); $call_set = false; foreach( array( 'MYSQL_SSL_KEY', 'MYSQL_SSL_CERT', 'MYSQL_SSL_CA', 'MYSQL_SSL_CAPATH', 'MYSQL_SSL_CIPHER' ) as $opt_key ) { $pack[] = ( defined( $opt_key ) ) ? constant( $opt_key ) : null; $call_set |= defined( $opt_key ); } /* Now if anything was packed - unpack into the function. * Note this doesn't check if paths exist, as per the PHP doc * at http://www.php.net/manual/en/mysqli.ssl-set.php: "This * function always returns TRUE value. If SSL setup is incorrect * mysqli_real_connect() will return an error ..." */ if ( $call_set ) { // SSL added here! call_user_func_array( 'mysqli_ssl_set', $pack ); }}//END ADD - below is the point above which to insert thisif ( WP_DEBUG ) { mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );
2. Customize your wordpress wp-config.php file.
Add & customize the following lines in your wp-config.php file. You can test these from development/staging as well as production if you have multiple environments.
define('DB_HOST', 'rds-yourserver-abcdefghi9j.us-west-1.rds.amazonaws.com');define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);//This activates SSL modedefine('MYSQL_SSL_CA', '/file/path/to/your/aws/rds-combined-ca-bundle.pem');
Note that there are 5 available MYSQL_SSL* settings you could use in your config, per code in #1 above. My RDS connection works via SSL with just the _CA option.
3. Sanity test that your connection is encrypted.
Add a quick test file to show whether the current Wordpress connection is using SSL or not. Create a sample file like this one called test.php, and put in your wordpress root or somewhere web accessible. Don't forget to remove this file when done testing.
<?phprequire( dirname( __FILE__ ) . '/wp-blog-header.php' ); //EDIT THIS PATH SO IT IS CORRECT FOR YOUR test.php file relative to the wp-blog-header.php fileglobal $wpdb;$row = $wpdb->get_row( "SHOW STATUS LIKE 'Ssl_cipher'" );var_dump($row);/*If you are connected over SSL this should output something like:object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "AES256-SHA" }If you are NOT connected over SSL this should output something like:object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "" }*/?>
4. Deploy and test your connection
Deploy your changes & test.php file to your wordpress installation, and restart your web server as needed. I'm using apache, so I run
sudo apachectl restart
For anyone one is using Redhat 7 + Apache 2.4 + PHP 7.I was facing same issue, so added below two lines into the wp-config.php as mentioned above.
define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT ); // you need this for PHP 7define('MYSQL_SSL_CA', '/var/www/BaltimoreCyberTrustRoot.crt.pem');
However was still not able to connect to DB...
So called one guy and he asked me to disable the Selinux by running following command:
setsebool -P httpd_can_network_connect_db 1
I said, dude, i already disabled SELinux why i need to run this again? He screamed to me: I DON'T KNOW, JUST RUN IT!
so i did and restarted the httpd, and it worked without changing wp-db.php... dont ask me why as i totally have no idea abpit the logic behind this neither.