I set up a new MySQL instance on AWS RDS (Aurora). I added a user that requires SSL, and downloaded the combined ca bundle as described here and here: SSL Connection error, and I can connect via command line and confirm that the user is securely connected. I also turned off the SSL requirement for the user temporarily and was able to connect with MySQL Workbench with SSL turned off.
The problem is that both MySQL Workbench and my Rails app expect three separate files: SSL CA, SSL Cert, and SSL Key.
I'm sure there has to be an easy solution to it, but much Googling is not finding the answer, including this unanswered one on the AWS forums. I appreciate the help.
You don't need any other files. When it comes to the MySQL Workbench you need to provide "SSL CA File" and "Use SSL" ("Require" or "Require and Verify CA").
After that you can verify your connection by using the following command:
SHOW SESSION STATUS LIKE 'Ssl_cipher';
Related
I'm having issues connecting Domo to a MySQL database hosted with AWS RDS. Whenever I try to authenticate I get this error:
"Failed to authenticate. Verify the credentials and try again. Domo is ready, but the credentials you entered are invalid. Verify your account credentials and try again. Error setting up SQL connection. Could not create connection to database server. Attempted reconnect 3 times. Giving up."
Its not security group settings. Someone suggested on this post:
https://dojo.domo.com/t5/Data-Sources-and-Connectors/MySQL-connector-issues/td-p/15462
that I should enable SSL in AWS database but I'm not sure how to do that.
I'll assume you're using the MySQL connector, not the MySQL SSH connector.
It sounds like you need to whitelist Domo's IP addresses within your AWS RDS's security groups.
Aside from that, make sure you're populating the credentials in Domo with the right pieces of information. Hostname should be the server's public IP address.
This connector follows the same general process as described in AWS's documentation here, with the exception that steps 5 and 6 are optional since SSH is not required for this connector.
I tried to use AWS DMS to migrate MySQL innodb cluster on another cloud provide to AWS. I uploaded self signed CA.pem generated by MySQL it doesn't work.
AWSDatabaseMigrationService: CA Certificate validation error
DMS SSL mode doesn't have required option for MySQL. So I am stuck...
I am wondering what should I do in this case. There are two solutions I've thought of.
replace the CA and all server certificate so DMS can work with it. Not sure if there's any potential risk for this.
spin up another EC2 replication instance by myself. Then RDS can replicate the EC2 instance. (The reason I am not able to use auto positioning in RDS is none of the cluster node has all the binary log)
Most of the thread in AWS forum is not answered. I feel it's better to ask here.
Any suggestion or idea would be good. Thanks.
So I eventually went with the option #1, and it works.
One biggest problem I encountered was after importing our CA and server certificate to MySQL it can't be connect with --ssl-ca specified. However with only --ssl it is fine.
In MySQLWorkbench SSL connection error: error:00000001:lib(0):func(0):reason(1) error message was totally useless. On DMS it said Error 2026 (SSL connection error: unable to get issuer certificate) connecting to MySQL server.
It turns out the problem was on OSX and DMS it doesn't trust AddTrust External CA Root or it doesn't have that root certificate in their keystore. So I had to manually add the root certificate into CA bundle file.
To make it more concrete here's the chain.
company certificate -> COMODO RSA Domain Validation Secure Server CA -> COMODO RSA Certification Authority (which is NOT the root certificate in OSX Keychain) -> AddTrust External CA Root
I don't know why OSX & DMS couldn't verify the root certificate by default. It took me two days to figure out the problem. Hopefully this information will be helpful to others having trouble with COMODO issued certificate.
UPDATE (2018/11/07):
DMS turned out will have missing record or unmatched record if it only migrate data to the existing schema. I have turned off foreign key check but the situation still exists.
I ended up went to #2 route.
I located the /etc/mysql/my.cnf file
I changed the bind-address
first to 0.0.0.0 I received a '111 Connection refused'
then I changed it to the instance I am trying to connect to It still says '111 Connection refused'
the firewall rule allows connection on port 3306 using internal ip so I dont know the problem. Thanks
It seems that you have already taken the necessary steps to connect to MySQL server from GCE your instance. Based on the Stackoverflow case here the recommendation to resolve this problem is to comment this line below (add # at the beginning of the line) in your my.cnf file:
skip-networking
Once done you need to restart MySQL service
sudo service mysql restart
On the GCP side, if you have allowed the IP ranges you want to use with the specified port(3306), it should work fine.
You can also use “nmap” command to verify if port 3306 is open on your GCE instance with MySQL installed.
GCP provides CloudSQL which is a managed MySQL instance. You can access CloudSQL from your GCE VM using private address. This feature reached beta recently. This link provides detailed information about using private IP to connect to your Cloud SQL instances.
Before configuring a Cloud SQL instance to use private IP, you need some steps to be taken. This document provides step by step instructions for configuring an instance to use private IP.
You can use 'netstat -tunlp | grep 3306' command to verify that the MYSQL process is running on port 3306.
This error can also occur when mysql user account does not accept connections from any IP addresses. It may still use localhost parameter to connect to the server. I would recommend adding a user with remote access or granting existing user access to remote sources. You can see this: link for the similar issue and follow the steps recommended there to resolve.
I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.
This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem
My question is: Why do I have to provide the ca.pem file as the client?
These are the steps I took to install mysql on the server and setup remote access (Ubuntu):
Steps to Enable SSL for MYSQL
1) Obtain my Certificate Authority cert, Database cert, Database key
ca.pem (Certificate Authority cert)
dbcert.pem (Database cert)
dbkey.pem (Databse key)
2) Add the following lines to /etc/mysql/my.cnf under [mysqld]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem
3) Restart mysql and confirm ssl enabled by logging in and typing following:
show variables like '%ssl%';
Configure Remote Connection Requiring SSL
1) Comment out the following lines in /etc/mysql/my.cnf
#bind-address
#skip-networking
2) Login to mysql and grant a user access to, in this case, every database
GRANT ALL PRIVILEGES ON . to 'USERNAME'#'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL
At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.
Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?
I would really appreciate some insight here.
Thanks in advance.
Unlike your typical web browser, a commandline tool like mysql doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).
When you use mysql to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."
For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.
http://razorsql.com/articles/mysql_ssl_jdbc.html
How can I configure Hibernate to use SSL to talk to the DB server?
I have an issue using MySQL on PHP 5.6, and after three days of debugging PHP, OpenSSL, MySQLnd Drivers on PHP and trying out the mysql_client on an Ubuntu 14.04 machine, I have come to a conclusion: Google Cloud SQL SSL certificates will not work on PHP 5.6 and above.
For a start, the Google Cloud is a great service, and modern cryptography is enforced throughout the Google ecosystem. However, I couldn't use it because of one little problem: Google Cloud SQL SSL Server certificates have impossible common names.
Google Cloud SQL Server (or peer) certificates have a Common Name (CN) that looks something like:
CN=project-name:instance-id
To make matters worse, starting from PHP 5.6, all encrypted client streams will go through mandatory peer certificate validation. (Link: OpenSSL changes in PHP 5.6.x). I use the PHP Data Objects (PDO) extension, which uses the native driver MySQLnd to handle all the MySQL business. This uses the native PHP streams to handle those connections.
I have been looking through the MySQLnd source code on PHP (Link: MYSQLnd Driver Code on GitHub), MySQLnd configuration options to try and disable the SSL peer verification code on this particular MySQLND. To no avail.
Therefore, what should I do if I need to use SSL for MySQL connections on PHP 5.6?
Your response is greatly appreciated!
Try connecting through the proxy if you have second generation sql, you might be able to connect pdo via the proxy with 127.0.0.1: https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy
Assuming you can convince MySQL that the hostname is should verify is in fact project-name:instance-id then I would have thought the hostname validation ought to succeed (though I agree that cert doesn't look great).
I tried the following from my Mac OS X workstation and it appeared to succeed, at least when using the mysql binary (I didn't try via PHP).
First I added a hosts entry on my machine included the colon as part of the name:
1.2.3.4 project-name:instance-id
After doing so I was able to connect successfully with the mysql (5.6.32) installed on my machine:
mysql -uroot -h "project-name:instance-id" --password \
--ssl \
--ssl-ca ~/Downloads/server-ca.pem \
--ssl-cert ~/Downloads/client-cert.pem \
--ssl-key ~/Downloads/client-key.pem \
--ssl-verify-server-cert
(When I ran that same command with the IP address instead, I received ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure)