Upgrading MySQL2 and Resolving Certificate Issues with Knex Migrations
Adam C. |

In recent times, many developers have encountered challenges when using the mysql2 package alongside Knex migrations, especially when dealing with changes in certificate authorities (CAs) for AWS RDS databases. This blog post aims to shed light on how upgrading mysql2 and making adjustments in the setup can resolve such issues effectively.

Photo by Lewis Keegan on Unsplash

The Challenge: Certificate Changes and Knex Migrations

AWS RDS introduced new CA certificates like rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, and rds-ca-ecc384-g1, which offer enhanced security features. However, these changes also brought compatibility issues with certain Node.js packages, notably mysql2, especially when using Knex migrations with the --esm flag enabled.

Understanding the Issue

The primary issue arises from the certificate validation process in mysql2, which may result in errors like "self-signed certificate in certificate chain" when connecting to RDS instances using the new CA certificates. This can lead to disruptions in database operations, especially during Knex migrations.

Solution: Upgrading MySQL2 and Adjusting the Setup

  1. Upgrade to mysql2 Version 3.9.2: The latest version of mysql2 (as of writing this post) includes fixes and enhancements, particularly regarding certificate validation and compatibility with newer CA certificates.
  2. Remove the --esm Flag in Knex Migrations: While the --esm flag enables ECMAScript Modules (ESM) support in Knex, it can cause conflicts with certain packages like mysql2. Removing this flag ensures smoother compatibility and module loading in CommonJS (CJS) environments.
  3. Configure mysql2 for New CA Certificates: Ensure that your mysql2 configuration is updated to support the new CA certificates introduced by AWS RDS. This may involve specifying the correct CA certificate file or using the default certificate handling provided by mysql2.

Benefits of Upgrading and Adjusting

  • Improved Security: By upgrading to the latest mysql2 version and using newer CA certificates, you enhance the security posture of your database connections, aligning with best practices for secure communication.
  • Seamless Knex Migrations: Removing the --esm flag and configuring mysql2 properly ensure that Knex migrations run smoothly without encountering certificate-related errors, providing a seamless development experience.


In conclusion, upgrading mysql2 and making necessary adjustments in the setup, such as removing the --esm flag in Knex migrations and configuring mysql2 for new CA certificates, can effectively resolve certificate-related issues and ensure robust database operations in Node.js applications.

By staying updated with package versions and aligning configurations with evolving security standards, developers can navigate challenges like certificate changes with confidence, maintaining the integrity and reliability of their database interactions.