Slurmdbd and ssl - mysql

I am trying to setup slurm with a remote mariadb database for accounting on Azure, using a mariadb database as service.
If ssl is disabled slurmdbd is perfectly working, it is able to contact the database and append new jobs.
If I enable ssl on the database, I got this error:
slurmdbd: debug2: Attempting to connect to mariadb.database.azure.com:3306
slurmdbd: error: mysql_real_connect failed: 9002 SSL connection is required. Please specify SSL options and retry.
I am perfectly able to connect to the database using:
mysql --host=<host> --port=3306 --user=<user> --password=<password> --ssl --ssl-ca=./BaltimoreCyberTrustRoot.crt.pem
I tried to add:
[client]
ssl_ca = /etc/mysql/ssl/BaltimoreCyberTrustRoot.crt.pem
to /etc/my.cnf, in this way I am able to connect (with ssl enabled) using only:
mysql --host=<host> --port=3306 --user=<user> --password=<password>
but slurmdbd gives me the same error.
Basically, I am not able to find the proper location for slurmdbd to read the ssl_ca.
Any ideas?
Thanks

i dont believe slurm has the ability to talk to an SSL Encrypted MySQL/MariaDB Server. You would need to set up a local MySQL Proxy which redirects the queries to the SSL connected one.

Related

Set user to require SSL in mariaDB does not force connection to use certificate

My localhost is running MariaDB 10.6.7 on Win64.
I am trying to force SSL when connecting to MariaDB.
I test the connection using MySQL Workbench 8.0.
To enable the SSL, I did the following:
I generate self signed certificate, then in my.ini, I set the following:
[mysqld]
datadir=C:/xampp/MariaDB 10.6/data
port=3306
innodb_buffer_pool_size=1009M
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/server-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/server-key.pem
[client]
port=3306
plugin-dir=C:/Program Files/MariaDB 10.6/lib/plugin
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/client-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/client-key.pem
To force SSL, I set the user in MariaDB to require SSL.
Unfortunately, with this configuration, I can still connect to MySQL without using any certificate. How can I force MariaDB to force SSL or FAIL?
My second question, I have a suspicion that my configuration is actually for setting using Require X509. Is this the case? If yes, how can I set it up to just use Require SSL?
Last, having the certificate set in my.ini, prevent me from connecting to mysql via the regular way, that is: mysql -u root. I got the following error:
ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing
the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN).
I have tried to use the following command, mysql --ssl-ca=[directory]\client-cert.pem -u root, without success. I got the same error as above. Any idea?
If you have a reference page or any kind of insight, that would be appreciated.
Thanks.
When creating a user, you need to add the require parameter, which can be x509 or ssl.
take for example
create user itpuxs2#'%' identified by 'root' require x509;
create user itpuxs3#'%' identified by 'root' require ssl;
From my test in Win64, the ssl-ca, ssl-cert, ssl-key under [client] is not required for "Require SSL". This settings were also the reason why I could not login using "mysql -u root".
I use MySQL Workbench to test my connection to MariaDB. From my testing, even though I did not provide any certificate, as long as the server have certificate for SSL, then the connection would be encrypted (Require SSL). Having said that, I did try to provide a ca-cert.pem, but it did not work. From my research in google, it seems that this may due to the SSL Library used in MariaDB. The SSL library may be different for different distribution.
As for the X509, I was able to get it working in Linux. I did this once and was not doing further testing since I am working in windows at the moment.

How to simulate MySQL many connection errors

I recently had an issue with my production systems in which a MySQL server was blocking the application server, due to connection errors, and gave the following error:
Host 'xx.xx.xx.xx' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'
I'd like to find a way to simulate this condition (or even trigger the actual condition on a non-production server), so I can respond to it properly. It's a pretty rare problem for my systems, but I'd still like to find a good way to respond to it.
You can avoid this problem by increase peer connections in mysql configurations
Logging to console/terminal with admin privileges
Flush all hosts using mysqladmin:
mysqladmin flush-hosts -u root -p
Open my.cnf (Linux) or my.ini (Windows) and change max_connect_error variable
max_connect_errors= 250000
Restart server with changes
To simulate error connection you can connect to MySQL server and then end connection before succesfull authentication. For example by netcat:
nc -i0.1 <hostname> 3306

Unable to connect to Google SQL over SSL

I created a fresh instance of google sql with mysql 5.7. I also had to create a client certificate as well as reset the root password to something known and secure.
If I disable "Only allow secure connections" and I log in from the cli then I can connect with the password.
mysql -uroot -p -h x.x.x.x
But, i like secure connections. So connecting via ssl (enabling ssl connections and using the downloaded certs) is unable to connect.
mysql -uroot -h x.x.x.x --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
with this error
mysql: [ERROR] SSL error: Unable to get certificate from 'client-cert.pem'
ERROR 2026 (HY000): SSL connection error: Unable to get certificate
If I try and connect via ssl in mysql administrator, I get this error:
The certs were created by the google console and am trying to connect how the example command tells me to connect. So I cannot for the life of me figure out why I cannot connect.
It seems that when creating a client certificate, Google Cloud is putting the CRT inside the client-key.pem and the KEY inside the client-cert.pem.
Does it work if you try the following?
mysql -uroot -h x.x.x.x --ssl-ca=server-ca.pem --ssl-cert=client-key.pem --ssl-key=client-cert.pem

SSL connection error when trying to connect to mysql Aurora via the mysql CLI

I will preface by saying I can connect to the DB instance when I'm not trying to go over SSL.
I am following this guide here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html
I have ensured the db instance is public facing.
The security group of the VPC has the following rules:
Type Protocol Port Range Source
MySQL/Aurora (3306) TCP (6) 3306 my_ip_address/32
MySQL/Aurora (3306) TCP (6) 3306 sg-security_group_name
Where the security_group_name is the security group for my EC2 cluster.
I am using the cluser endpoint of my aurora cluster. And I've removed the port. I installed mysql on my machine using homebrew. This is the command I am trying from my local machine (macbook):
mysql -h blah-database-cluster.cluster-dfgdgfd.us-east-1.rds.amazonaws.com --ssl-ca=rds-ssl-ca-cert.pem --ssl-verify-server-cert
Where rds-ssl-ca-cert.pem is the file I downloaded from here:
http://s3.amazonaws.com/rds-downloads/rds-ssl-ca-cert.pem
I get the error:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
I have tried creating a new instance, rebooting etc and no joy. Does my security group need some kind of https rule?
Edit:
Further clue. When I run mysql --ssl locally it doesn't error. But when I do mysql show_variables, it says SSL false and the have_ssl and have_open_ssl variables don't exist. Could this be the problem? I installed the local mysql via homebrew package manager for mac.
New edit:
I re-installed mysql (previously from brew) and now direct from oracle and when I try to connect it gives a different error - SSL connection error: ASN: bad other signature confirmation
At present the AWS Aurora documentation is linking to an out of date SSL certificate to use, hence the problem. This has been confirmed by the AWS support staff. Use this instead: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Even when using that certificate, connecting to the cluster end-point over SSL still doesn't work for the command line using mysql -h connection. If I change from the cluster end-point to the instance end-point strangely it works.
Bizarrely, mysql workbench does connect over ssl, both to the instance end-point AND the cluster-end point.
Use mysql with --skip-ssl option if you not using SSL.If nothing helps upgrade your mysql client
From the docs it appears the restriction to the instance endpoint for SSL connections is a security constraint associated with the certificate.
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. As a result, you cannot use the DB cluster endpoint to connect to the primary instance of the DB cluster using SSL.
FYI
please try using this key as well (from Amazon docs)
https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
For me I had to use:
mysql --ssl-mode=DISABLED -u [USER] -p[PASSWORD] -h [HOST] [DB]

Can't access MySQL through MySQL Workbench or HeidiSQL, but can access through shell

I don't know if this is a user error on my end, or if the remote server is configured incorrectly.
I was given some connection info for a server as follows:
Server IP
server username
keyfile
mysql user
mysql password
and I can shell in and run the "mysql" command with the mysql user and password I was given, but I can't setup a connection in either MySQL Workbench or in HeidiSQL.
In MySQL Workbench, the 'Standard TCP/IP over SSH' seemed to best fit the info I was given, but when I try to connect I get "Authentication error. Please check that your username and password are correct and try again." or "Authentication error opening SSH tunnel: Authentication error. Please check that your username and password are correct and try again." in the logfile.
In HeidiSQL the "MySQL (SSH tunnel)" seemed to best fit the info I was given, but when I try to connect there, I get "Lost connection to MySQL server at 'reading initial communication packet', system error:0"
I looked up both these errors and couldn't find anything for the first one, and the second one seemed to be more about server configuration. I'm not too savvy with server config, so I'm a bit stuck evaluating whether or not I'm doing something wrong on my end, or if something needs to be changed on the server. I'd appreciate some advice. Thanks!
You must be more specific about the credentials you got. Is "server IP" the IP address of the MySQL server or an SSH server? Is the "server username" the SSH user or something else (e.g. a regular user of the target machine)? In my tutorial video on Youtube I explained what you have to use where to create a connection, including SSH connections: https://www.youtube.com/watch?v=DCgRF4KOYIY
You have to check a couple configuration steps before you can perform a remote mysql connection:
First of all you must check that mysql default port(3306) is listening on the correct interface.
You can check this out using netstat command in the remote server:
# netstat -tulnp
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1111/mysqld
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
Then you must check that the remote host is allowed to perform querys into mysql engine (you must check user and host permissions over your database).
Connect into terminal and run the following command in mysql prompt:
mysql> select user,host from mysql.user;
Check the following link to deep insight mysql user and hosts system:
https://dev.mysql.com/doc/refman/5.0/en/adding-users.html
Check user,host permissions over your database:
mysql> show grants for root#localhost;
https://dev.mysql.com/doc/refman/5.1/en/grant.html
You must check that remote host (client) exist for example: user#192.168.1.2
Finally if you are using putty to encrypt over ssh you connection please check that you rsa key fingerprint is added you can perform this just logging ssh using you putty client.