I'm having troubles connecting MySQL database as a source endpoint on AWS DMS.
Client sent me credentials (host, port, username, password) and certificates (CA cert, client cert, client key) and I successfully connected to DB with DBeaver.
I tried to import CA certificate in DMS and it did it successfully, but for SSL mode selected in endpoint (both verify-full and verify-ca) it gives me an error in connection testing:
Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to ODBC provider ODBC general error., Application-Detailed-Message: RetCode: SQL_ERROR SqlState: HY000 NativeError: 2026 Message: [unixODBC][MySQL][ODBC 8.0(w) Driver]SSL connection error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
I have checked CA certificate with
openssl x509 -in certificate.pem -text -noout
and it seems OK.
I also ran into this article which says that CA cert must be signed by certification authority, the client sent me self signed CA certificate and apparently doesn't know how to properly sign it.
Does anyone knows how to bypass getting CA signed certificate or to get proper CA signed certificate (if this really is a problem)?
Related
When I try to connect to a MySQL server instance via command line, I get the following error:
computer:~ mysql -u user -h db.dbsite.com -p
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000005:lib(0):func(0):DH lib
Another user with access tried to reproduce it on their end, but connected successfully. Likewise, I can connect on my own home network. The issue has so far only appeared on a public coffee shop WiFi network. I don't have a strong background in networking some I'm not sure what attributes of the network would cause this issue.
I connect successfully elsewhere, so that rules out some of the other issues on StackOverflow (incorrect certificate for one, likewise many other issues are related to invalid server SSL config). Skipping ssl as mentioned here is not viable because of the security risk.
Other info:
OpenSSL 1.0.2p 14 Aug 2018
mysql Ver 8.0.12 for osx10.13 on x86_64 (Homebrew)
I found a fix in this case, it was as simple as adding --ssl-mode=required. It's unclear to me why this argument is required in this case and not others.
I changed my port from 3306 to 3310 due to it not being able to start mySQL in the xampp control panel.
That was the only change I made my from the default windows 10 download.
When I go to https://localhost/phpmyadmin/ I get these errors and cant log see the log in form.
Error
MySQL said: Documentation
Cannot connect: invalid settings.
mysqli_real_connect(): The server requested authentication method unknown to the client [caching_sha2_password]
mysqli_real_connect(): (HY000/2054): The server requested authentication method unknown to the client
Connection for controluser as defined in your configuration failed.
mysqli_real_connect(): The server requested authentication method unknown to the client [caching_sha2_password]
mysqli_real_connect(): (HY000/2054): The server requested authentication method unknown to the client
phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.
Retry to connect
Any help would be greatly appreciated
I created a fresh instance of google sql with mysql 5.7. I also had to create a client certificate as well as reset the root password to something known and secure.
If I disable "Only allow secure connections" and I log in from the cli then I can connect with the password.
mysql -uroot -p -h x.x.x.x
But, i like secure connections. So connecting via ssl (enabling ssl connections and using the downloaded certs) is unable to connect.
mysql -uroot -h x.x.x.x --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
with this error
mysql: [ERROR] SSL error: Unable to get certificate from 'client-cert.pem'
ERROR 2026 (HY000): SSL connection error: Unable to get certificate
If I try and connect via ssl in mysql administrator, I get this error:
The certs were created by the google console and am trying to connect how the example command tells me to connect. So I cannot for the life of me figure out why I cannot connect.
It seems that when creating a client certificate, Google Cloud is putting the CRT inside the client-key.pem and the KEY inside the client-cert.pem.
Does it work if you try the following?
mysql -uroot -h x.x.x.x --ssl-ca=server-ca.pem --ssl-cert=client-key.pem --ssl-key=client-cert.pem
I have created a ssl follow:
https://cloud.google.com/sql/docs/configure-ssl-instance
And read this document:
https://cloud.google.com/sql/docs/mysql-client#connect
After I created a new mysql instance and download the three pem files to local. I want to connect to that server:
mysql -u<USERNAME> -p -h <IP_ADDRESS> --ssl-ca=/local/path/to/server-ca.pem --ssl-cert=/local/path/to/client-cert.pem --ssl-key=/local/path/to/client-key.pem
And type the password, again it said:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0
Why?
Did you follow the instructions under the heading "Grant access to your instance? It links to another document that explains how to add IP addresses to Authorized Network list of your Cloud SQL instance. Even when using SSL certificates you must add the IP address as an Authorized Network.
I will preface by saying I can connect to the DB instance when I'm not trying to go over SSL.
I am following this guide here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html
I have ensured the db instance is public facing.
The security group of the VPC has the following rules:
Type Protocol Port Range Source
MySQL/Aurora (3306) TCP (6) 3306 my_ip_address/32
MySQL/Aurora (3306) TCP (6) 3306 sg-security_group_name
Where the security_group_name is the security group for my EC2 cluster.
I am using the cluser endpoint of my aurora cluster. And I've removed the port. I installed mysql on my machine using homebrew. This is the command I am trying from my local machine (macbook):
mysql -h blah-database-cluster.cluster-dfgdgfd.us-east-1.rds.amazonaws.com --ssl-ca=rds-ssl-ca-cert.pem --ssl-verify-server-cert
Where rds-ssl-ca-cert.pem is the file I downloaded from here:
http://s3.amazonaws.com/rds-downloads/rds-ssl-ca-cert.pem
I get the error:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
I have tried creating a new instance, rebooting etc and no joy. Does my security group need some kind of https rule?
Edit:
Further clue. When I run mysql --ssl locally it doesn't error. But when I do mysql show_variables, it says SSL false and the have_ssl and have_open_ssl variables don't exist. Could this be the problem? I installed the local mysql via homebrew package manager for mac.
New edit:
I re-installed mysql (previously from brew) and now direct from oracle and when I try to connect it gives a different error - SSL connection error: ASN: bad other signature confirmation
At present the AWS Aurora documentation is linking to an out of date SSL certificate to use, hence the problem. This has been confirmed by the AWS support staff. Use this instead: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Even when using that certificate, connecting to the cluster end-point over SSL still doesn't work for the command line using mysql -h connection. If I change from the cluster end-point to the instance end-point strangely it works.
Bizarrely, mysql workbench does connect over ssl, both to the instance end-point AND the cluster-end point.
Use mysql with --skip-ssl option if you not using SSL.If nothing helps upgrade your mysql client
From the docs it appears the restriction to the instance endpoint for SSL connections is a security constraint associated with the certificate.
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. As a result, you cannot use the DB cluster endpoint to connect to the primary instance of the DB cluster using SSL.
FYI
please try using this key as well (from Amazon docs)
https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
For me I had to use:
mysql --ssl-mode=DISABLED -u [USER] -p[PASSWORD] -h [HOST] [DB]