I have a MySLQ running on a CentOS server with SSL enabled and it require SSL in order to connect to the databases. I created the certificates and keys using OpenSSL, getting this files:
ca.pem
ca-key.pem
client-cert-pem
client-key-pem
server-cert.pem
server-key.pem
Setup MySQL with this:
ssl-ca=/etc/certs/ca.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
bind-address=*
require_secure_transport=ON
I created a user that require X509 on the MySLQ by using:
CREATE USER 'user'#'%' IDENTIFIED BY '<password>' REQUIRE X509;
Testing with the MySQL client console and MySQL Workbench providing the client certs and it works fine. Also works on a Java App that writes/reads the databases by importing certifitates to the keytores/trustores.
However, I cannot set up Power Bi Desktop version to connect to the MySQL server. I imported the certificates to the Trusted Root Autenticathion Authorities and a PKCS12 keystore and trustore (used also by the Java App). This image shows the certificate. It is in Spanish, but it says it has also the key and it is verified by the ca.pem.
This is according to the documentation, but the documentation about this is very old and very limited. Some of the process and/or tools are out of date.
This are the sources I could find:
https://github.com/Microsoft/PowerBI-visuals/blob/master/tools/CreateCertificate.md#generate-certificate-manually
https://github.com/Microsoft/PowerBI-visuals/blob/master/tools/CertificateAddWindows.md
https://powerbi.microsoft.com/es-es/blog/ssl-security-error-with-data-source/
However there is not much more info about how to properly connect (or I cannot find it).
The message I get on Power Bi is "We were unable to authenticate you with the credentials provided. Try again."
I must add that disabling SSL allows me to connect to the databases using Power Bi, without any issue, it is the SSL what doesn't work as I don't know how to properly provide the certificates and I cannot find anything that decribes the process.
Related
I need to set up my connection with PowerBI to Azure Database for MySQL flexible server. I can't seem to find any reliable documentation to do this.
Initially I'm getting this error when I try to connect to the server.
Get Data > More > Select MySQL Database
Input the Server name and Database name > Hit OK
Error: Connections using insecure transport are prohibited while
--require_secure_transport=ON.
Then I downloaded the SSL certificate from our Azure portal then successfully imported in the certmgr.msc under the Trusted Root Certification Authorities
But the same issue persists. Please take note that in this same machine I was able to connect to that server using phpmyadmin. In DbBeaver as well by simply installing the SSL as a CA Certificate. What can I try next?
when you import the certificate you get asked to install it for current user or local machine. Have you tried importing it on local machine rather than current user. I have it on local machine and able to connect to the Azure database for mysql server. let me know if it works.
Thanks
Sunitha
Able to fix my issue by installing the latest mySQL connector and importing a public SSL Certificate.
my machine previously has a MySQL Connector Net 7.0.2 then I downloaded the latest 8.0.32 from this page: https://dev.mysql.com/downloads/connector/net/
thanks to this reference: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/connect-with-powerbi-desktop
I am able to establish RDS/MySQL SSL connection via MySQLWorkbench by specifying the certificate file path but unable to do that via 'SQL Workbench/j' because I couldn't find any option to give the certificate path.
SSL connection feature by specifying certificate path is not available in "SQL Workbench/j". You can make use of another good GUI tool 'Toad for MySQL' which provides this feature and a descent tool which I'm using from last 7 years.
I am trying to remotely connect Google Data Studio with our MySQL Database, which is hosted on an AWS instance. To allow for a secure connection, we added SSL access to the AWS's MySQL database user as recommended in the documentation:
GRANT USAGE ON *.* TO 'encrypted_user'#'%' REQUIRE SSL;
The problem here is that AWS, unlike GOOGLE CloudSQL, only generates a Server certificate, and not a Client certificate, nor a Client private key (as far as I can tell). Both the latter is needed to enable SSL for Google Data Studio & MySQL connection.
Just to add a side-note, we also white-listed Google's recommended IPs as listed here. There are a lot of users in this thread complaining that white-listing specific IPs does not work, they had to add wildcard on the subnets. So we have also added addresses of the /16 subnets for each IP:
64.18.%.%
64.233.%.%
66.102.%.%
66.249.%.%
72.14.%.%
74.125.%.%
108.177.%.%
173.194.%.%
207.126.%.%
209.85.%.%
216.58.%.%
216.239.%.%
Finally, one does not need to restart the AWS firewall after white-listing new IPs, it is immediately in-effect.
My Questions:
Is there absolutely no way to create a client certificate and a client private key on MySQL hosted on AWS ?
I would really want to use SSL between Google Data Studio (GDS) and our MySQL-DB, but the GDS-UI does not allow us to connect without filling in the client certificate and client private key. Is there any work around at the moment for me to allow this secure connection ?
Thanks in advance!
I was able to establish SSL connection between Google Data Studio and Amazon RDS PostgreSQL using Amazon server certificate and self-signed client cert + key created with OpenSSL:
openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt
Taken from https://stackoverflow.com/a/48994943/2789084.
I've setup a google compute VM, and can access phpmyadmin and the default index page. SSH works when I click the button on the website.
I am having issues remotly connecting to my server instance for any sort of management(ftp or sql)
I followed the firewall section here: https://cloud.google.com/solutions/mysql-remote-access
But I still can't connect.
My firewall is configured:
And I have no idea how to get HTTPS working, But it can be a problem to take care of in the future when I fully switch my site over the compute engine. Since I can't switch my domain or current SSL certificates over yet.
EDIT:
More information:
When I try to connect to SQL using client "Sequel Pro" it returns:
With telnet:
When I try connect to SFTP I get:
Could this be caused by me mistyping the password?
Your firewall settings show that you allowed external traffic to both ports 21 and 3306 for TCP protocol. This is good but not enough.
In order to allow remote connections to MySQL, you will need to grant remote access to your username and your external IP address. Take a look at this case for an example. This is also mentioned in step 6 and step 7 of Configure MySQL server on my-server section of the article you specified:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'TESTUSER'#'<external-ip-my-client>' IDENTIFIED BY '<some-password>';
About the ftp server, the VM instance comes with no ftp service installed, but instead you can use SFTP protocol to connect to it which is more secure than FTP protocol and is highly recommended. Use gcloud compute config-ssh to generate SFTP/SSH key pair. For more information visit Setting up secure FTP on Google Compute Engine artcile.
Mysql2::Error (SSL connection error: ASN: bad other signature confirmation):
I am making an administration site. The environment is Rails 4.2 and Ruby 2.2, connecting AWS RDS with Heroku server.
I don't know why getting this error. It suddenly appeared. I can't find any errors other than this. Although I passed my codes two days ago, I got this error this time.(I haven't touched this code while the two days.)
How can I solve this problem?
For me, this had to do with the RDS SSL Certificate Rotation that happened on April 3rd, 2015.
However, in my case, just using the root certificate did not work, and I had to use a intermediate certificate for my region as well. Details:
Go into the AWS rds console and reboot your RDS instance.
Download the new root certificate https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem. Put it into the config directory of your app.
Download the intermediate certificate for your database region
here. I had to use the US east one, but you will have to pick the one for your region.
This is the key step. You need to combine the intermediate certificate and the root certificate into one file so that the intermediate certificate is above the root certificate, forming a certificate chain. Open the intermediate certificate using a text editor, copy its contents, and paste them into config/rds-ca-2015-root.pem, on top, above the root certificate. So, after you are done, config/rds-ca-2015-root.pem should be the intermediate certificate followed by the root certificate, all in this file.
Get your current database url
heroku config
and then look for the DATABASE_URL property
Update your database URL to use the new certificate file. All you should have to change is the name of the certificate (since its now called
rds-ca-2015-root.pem)
heroku
config:add DATABASE_URL="mysql2://DB_NAME:DB_PASSWORD#DB_URL/DB_NAME?sslca=config/rds-ca-2015-root.pem"
Commit the changes and redeploy to Heroku.
Four years later (2019) and AWS are rotating CA certs again, as expected.
RDS users are recommended to switch from the 2015 cert to the 2019 cert by 2019-11-01, and "no later than" 2020-02-05. The 2015 certificates expire on 2020-03-05.
I used the following procedure, based on RDS' Rotating Your SSL/TLS Certificate guide.
Schedule downtime
Download new certificates, save in config
Only the root cert is needed: rds-ca-2019-root.pem
The instructions mention a 2015+2019 bundle, but I couldn't find it. This file is 2019 only.
Region-specific intermediate certs are not needed
Commit, but don't deploy yet
heroku maintenance:on
In RDS web console, modify server
In the Network & Security section, choose rds-ca-2019
Apply changes immediately
Scale dynos down to 0
heorku config:set DATABASE_URL=mysql2://myuser:mypassword#myhost.rds.amazonaws.com/mydb?sslca=config/rds-ca-2019-root.pem
Deploy
Scale dynos up, watch logs
heroku maintenance:off
There are many reasonable variations on this procedure, this is just what worked for me.