tldr: I get the following error with a client/server setup with ssl:
Specifically: ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
The details:
I am hosting something similar to a mysql server on ec2 (specifically mongosqld)
I need to connect to it via ssl, so I create certs using openssl on the machine using this set of instructions provided by mysql: https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html
I run the server with the following command
mongosqld --schema=schema.drdl \
--addr=0.0.0.0:3307 \
--auth \
--sslMode=allowSSL \
--sslCAFile=ca.pem \
--sslPEMKeyFile=server-key.pem
And on my machine, I attach to the server like so:
mysql --protocol tcp \
--host my.host.on.amazon.com --port 3307 \
--enable-cleartext-plugin \
--ssl-cert mongosqlcerts/client-cert.pem
--ssl-key mongosqlcerts/client-key.pem
--ssl-ca mongosqlcerts/ca.pem
On the client side I get the following error:
SSL connection error: error:00000001:lib(0):func(0):reason(1)
On the server logs, a bit more helpful:
mongosqld starting: version=v2.3.1 pid=11461 host=ip-xx-xx-xx-xx
I CONTROL [initandlisten] git version: fa3535342a4c5abe36e3cc28a2ecf72864dfc6fe
I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
I CONTROL [initandlisten] options: {schema: {path: "schema.drdl"}, net: {bindIp: [0.0.0.0], ssl: {mode: "allowSSL", PEMKeyFile: "server-key.pem", CAFile: "ca.pem"}}, security: {enabled: true}}
I NETWORK [initandlisten] waiting for connections at [::]:3307
I NETWORK [initandlisten] waiting for connections at /tmp/mysql.sock
I NETWORK [conn1] connection accepted from 108.20.XXX.XXX:63353 #1 (1 connection now open)
E NETWORK [conn1] handshake error: ERROR 1043 (08S01): recv handshake response error: ERROR 1043 (08S01): ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line
SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
2017-12-01T22:24:50.394+0000 I NETWORK [conn1] end connection 108.20.XXX.XXX:63353 (0 connections now open)
Specifically: ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line
SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Can anyone help me parse that error.
Thanks friends!
I got it!
so for the sslPEMKeyFile argument in mongosqld as stated in the docs you need to
Specifies the .pem file containing both the TLS/SSL certificate and key for MySQL clients. Specify the file name of the .pem file using relative or absolute paths.
So when I used openssl to create ca, server-cert and key files, I needed to create a new file that combined the private-key and the server-cert
so I created a new file called combined.pem with the following text in it:
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
and started the server with that and it worked!!!
Related
I am trying to connect to a MySQL RDS instance in AWS with Apache NiFi on Linux Ubuntu.
The MySQL database is behind a SSH tunnel which is working in a dedicated terminal. The MySQL database is accessible through another Linux terminal.
$ ssh -i /home/bernardo/.ssh/sshbernardo3.pem -N \
-L 33061:<db_name>.<id>.eu-west-1.rds.amazonaws.com:3306 \
<user>#<ip_address> -p <port>
I have uploaded and unzipped the JDBC driver from https://downloads.mysql.com/archives/c-j/
The file java.sql.Driver is located in the directory /usr/share/java/META-INF/services in Linux
I have installed the jdbc connector in Linux and set up the user to use JDBC
$ sudo apt-get install libmysql-java
$ cd /home/bernardo
$ gedit .bashrc
Added the following lines at the end of the file:
# Setting up the user to use JDBC
CLASSPATH=$CLASSPATH:/usr/share/java/mysql-connector-java-8.0.26.jar
export CLASSPATH
Then source it:
$ source .bashrc
In NiFi I have used a DBCPConnectionPool1.15.2 controller service which is configured as follows:
• Database Connection URL: jbdc:mysql://127.0.0.1:33061/<db_name>
• Database Driver Class Name: java.sql.Driver
• Database Driver Location: /usr/share/java/META-INF/services
• Database User: <db_user>
• Password: <db_password>
When enabling the controller service, I get the following error:
StandardControllerServiceNode[service=DBCPConnectionPool[id=2440f624-017e-1000-9467-8bb12dda6ca6],
name=<controller_service_name>, active=true] Failed to invoke
#OnEnabled method due to java.lang.NoSuchMethodException:
java.sql.Driver.() causes: java.lang.InstantiationException:
java.sql.Driver causes:
org.apache.nifi.processor.exception.ProcessException: Creating driver
instance is failed: Creating driver instance is failed
Any hint?
This is the SW I have installed:
Linux Ubuntu 18.04.6 in VirtualBox 6.1 on top of Windows 10 Pro
openjdk version "11.0.13" 2021-10-19
javac 11.0.13
nifi-1.15.2
Thanks,
Bernardo
EDITED on 2022 January 6 08:50 UTC
I have made the following changes to the DBCPConnectionPool1.15.2 controller service configuration:
• Database Driver Class Name: com.mysql.cj.jdbc.Driver
• Database Driver Location: /usr/share/java/mysql-connector-java-8.0.26.jar
The other parameters are not changed:
• Database Connection URL: jbdc:mysql://127.0.0.1:33061/<db_name>
• Database User: <db_user>
• Password: <db_password>
The file mysql-connector-java-8.0.26.jar is in /usr/share/java
Also:
$ cat /usr/share/java/META-INF/services/java.sql.Driver
com.mysql.cj.jdbc.Driver
And:
$ netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:33061 0.0.0.0:* LISTEN 4873/ssh
tcp6 0 0 ::1:33061 :::* LISTEN 4873/ssh
Still I get an error (a new error this time):
causes: org.apache.nifi.processor.exception.ProcessException: No suitable driver for the given Database Connection URL
Permissions to access the driver jar file:
bernardo#BDi-laptop:/usr/share/java$ ls -l
-rwxrwxr-- 1 bernardo bernardo 2462344 gen 4 19:01 mysql-connector-java-8.0.26.jar
EDITED on 2022 January 6 10:21 UTC
Added the CLASSPATH variable also in /etc/environment
bernardo#BDi-laptop:/usr/share/java$ echo $CLASSPATH
.:/usr/share/java/mysql-connector-java-8.0.26.jar:/usr/share/java/mysql-connector-java-8.0.26.jar
EDITED on 2022 January 7 09:08 UTC
I thought it could be an issue related to the driver version so I re-installed the jdbc driver. I have cleaned /home/bernardo/Download and /usr/share/java from the old sql related files. Then I have done the installation again.
Install the jdbc connector
$ sudo apt-get install libmysql-java
The .jar file is in /usr/share/java/mysql-connector-java-5.1.45.jar
Unpack the .jar file
$ sudo jar xvf /usr/share/java/mysql-connector-java-5.1.45.jar
To find the driver class name, open /usr/share/java/META-INF/services/java.sql.Driver
$ cat /usr/share/java/META-INF/services/java.sql.Driver
com.mysql.jdbc.Driver
com.mysql.fabric.jdbc.FabricMySQLDriver
The driver class name is: com.mysql.jdbc.Driver
This is the updated configuration in the DBCPConnectionPool1.15.2 controller service in Apache Ni-Fi:
• Database Driver Class Name: com.mysql.jdbc.Driver
• Database Driver Location: /usr/share/java/mysql-connector-java-5.1.45.jar
• Database Connection URL: jbdc:mysql://127.0.0.1:33061/<db_name>
• Database User: <db_user>
• Password: <db_password>
I have obtained the same result:
causes: org.apache.nifi.processor.exception.ProcessException: No suitable driver for the given Database Connection URL
Then I checked if the problem was in the SSH tunnel.
$ netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:33061 0.0.0.0:* LISTEN 4497/ssh
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:33061 :::* LISTEN 4497/ssh
$ cat /proc/4497/status
Name: ssh
State: S (sleeping)
The SSH process is in sleeping state.
In a separate terminal I accessed the remote MySQL database:
$ mysql -u <db_user> -p -h 127.0.0.1 -P 33061
Finally, I tried to connect to my local mysql database in my local Linux instance by using the following Ni-Fi settings:
• Database Driver Class Name: com.mysql.jdbc.Driver
• Database Driver Location: /usr/share/java/mysql-connector-java-5.1.45.jar
• Database Connection URL: jbdc:mysql://127.0.0.1:3306/<local_db_name>
• Database User: <local_db_user>
• Password: <local_db_password>
I have obtained the same result:
causes: org.apache.nifi.processor.exception.ProcessException: No suitable driver for the given Database Connection URL
Still, in a separate Linux terminal I am able to access the local mysql database:
$ mysql -u <local_db_user> -p -h 127.0.0.1 -P 3306
EDITED on 2022 January 10 11:58 UTC
Corrected a typo in Ni-Fi controller service configuration:
• Database Connection URL: jdbc:mysql://127.0.0.1:33061/<db_name>
Controller service problem solved!
Thanks!
EDITED on 2022 January 12 08:26 UTC
I am still getting connectivity problems. I managed to enable the controller service but, when I run the processor QueryDatabaseTable, I get the following error: Cannot create PoolableConnectionFactory - Communications link failure
QueryDatabaseTable[id=017e1003-c2d8-14cf-4e34-feee76411595] Unable to execute SQL select query SELECT * FROM periodic_measurements_test due to java.sql.SQLException: Cannot create PoolableConnectionFactory (Communications link failure
The last packet successfully received from the server was 0 milliseconds ago. The last packet sent successfully to the server was 0 milliseconds ago.): javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
↳ causes: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 0 milliseconds ago. The last packet sent successfully to the server was 0 milliseconds ago.
↳ causes: java.sql.SQLException: Cannot create PoolableConnectionFactory (Communications link failure
The last packet successfully received from the server was 0 milliseconds ago. The last packet sent successfully to the server was 0 milliseconds ago.)
↳ causes: org.apache.nifi.processor.exception.ProcessException: java.sql.SQLException: Cannot create PoolableConnectionFactory (Communications link failure
The last packet successfully received from the server was 0 milliseconds ago. The last packet sent successfully to the server was 0 milliseconds ago.)
The processor configuration is default except for:
• Database Connection Pooling Service: < DBCPConnectionPool controller service name >
• Database Type: MySQL
• Table Name: periodic_measurements_test
The controller service configuration is still:
• Database Connection URL: jdbc:mysql://127.0.0.1:33061/<db_name>
• Database Driver Class Name: com.mysql.jdbc.Driver
• Database Driver Location: /usr/share/java/mysql-connector-java-5.1.45.jar
• Database User: <db_user>
• Password: <db_password>
The SSH tunnel seems to be fine:
netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:33061 0.0.0.0:* LISTEN 29483/ssh
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN -
And in Linux terminal I can still access the MySQL database thorough CLI:
$ mysql -u <db_user> -p -h 127.0.0.1 -P 33061
And I get the same result when I try to fetch data from the MySQL database in my local Linux instance.
Finally, I managed to fix the issue. It was related to the version of the jdbc driver.
I did the following:
In Linux browser go to https://dev.mysql.com/downloads/connector/j/
Select
• Ubuntu Linux
• 18.04
Download
In a CLI terminal go to the Downloads directory
$ cd /home/bernardo/Downloads
Unpack the deb file
$ sudo dpkg -i mysql-connector-java_8.0.26-1ubuntu18.04_all.deb
Check where is the connector location in the file system
$ dpkg -L mysql-connector-java | fgrep jar
/usr/share/java/mysql-connector-java-8.0.26.jar
Clean /usr/share/java from the previous jdbc driver
$ sudo rm mysql-connector-java-5.1.45.jar
$ sudo rm -r com
$ sudo rm -r META-INF/
Install the connector: unpack the .jar file
$ sudo jar xvf /usr/share/java/mysql-connector-java-8.0.26.jar
To find the driver class name, open /usr/share/java/META-INF/services/java.sql.Driver
$ cat /usr/share/java/META-INF/services/java.sql.Driver
com.mysql.cj.jdbc.Driver
The driver class name is: com.mysql.jdbc.Driver
Restart Apache Ni-Fi
Modify the configuration of the controller service with:
• Database Driver Class Name: com.mysql.cj.jdbc.Driver
• Database Driver Location: /usr/share/java/mysql-connector-java-8.0.26.jar
I am working on old project where ejabberd is used. In laravel env file this information is written
JABBER_SERVER=localhost
JABBER_ENV=dev
RPC_SERVER= http://xx.xx.xx.xxx:4560/RPC2
JABBER_HOST=localhost
when i try to find the ejabberd service on my ubuntu server i couldn't.I don't have any idea how i can find ejabberd information because i am getting an error.
2019-12-26 07:54:27.338 [info] <0.23787.5>#ejabberd_c2s:process_terminated:264 (tcp|<0.23786.5>) Closing c2s session for prod6067#localhost/121590970668513998469410: Connection failed: connection closed
2019-12-26 07:54:30.577 [info] <0.339.0>#ejabberd_listener:accept:300 (<0.23789.5>) Accepted connection 115.186.58.62:58101 -> 172.31.42.93:5222
2019-12-26 07:54:31.390 [info] <0.23790.5>#ejabberd_c2s:handle_auth_success:423 (tcp|<0.23789.5>) Accepted c2s SCRAM-SHA-1 authentication for prod6067#localhost by mnesia backend from
2019-12-26 07:54:32.166 [info] <0.23790.5>#ejabberd_c2s:bind:394 (tcp|<0.23789.5>) Opened c2s session for prod6067#localhost/151108589900049164879426
If you can run the ejabberdctl shell script, then it will show many information about where ejabberd is installed:
$ ejabberdctl
...
Optional parameters when starting an ejabberd node:
--config-dir dir Config ejabberd: /etc/ejabberd
--config file Config ejabberd: /etc/ejabberd/ejabberd.yml
--ctl-config file Config ejabberdctl: /etc/ejabberd/ejabberdctl.cfg
--logs dir Directory for logs: /usr/local/var/log/ejabberd
--spool dir Database spool dir: /usr/local/var/lib/ejabberd
--node nodename ejabberd node name: ejabberd#localhost
I am getting the error message
error: operation failed: Failed to connect to remote libvirt URI qemu+ssh://mytargethostname.mydomain.com/system: Cannot recv data: Host key verification failed.: Connection reset by peer
when I try to run the kvm migration command like this
virsh migrate --verbose --live --p2p --tunnelled hosttomigrate qemu+ssh://mytargethostname.mydomain.com/system
I can successfully view the running vms on the target host when I run
virsh -c qemu+ssh://mytargethostname.mydomain.com/system list --all
Is there some special configuration that I may need for kvm ?
I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.
Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.
I'm trying to connect to my vagrant MySQL server using MySQL workbench. It shows some error as shown in the image.
The workbench error log is pasted below.
17:34:50 [INF][ SSH tunnel]: Existing SSH tunnel not found, opening new one
17:34:50 [INF][ SSH tunnel]: Opening SSH tunnel to 127.0.0.1:2222
17:34:50 [ERR][ sshtunnel.py]: Traceback (most recent call last):
File "/usr/share/mysql-workbench/sshtunnel.py", line 231, in _connect_ssh
look_for_keys=has_key, allow_agent=has_key)
File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 337, in connect
self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 528, in _auth
raise saved_exception
AuthenticationException: Authentication failed.
17:34:50 [ERR][ SSH tunnel]: Authentication error opening SSH tunnel: Authentication error. Please check that your username and password are correct and try again.
vagrant up command output is pasted below
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
default: Adapter 2: hostonly
==> default: Forwarding ports...
default: 22 => 6216 (adapter 1)
default: 22 => 2222 (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
default: Warning: Connection timeout. Retrying...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
==> default: Configuring and enabling network interfaces...
The command vagrant ssh works fine in terminal. What am I doing wrong here?
If you run vagrant ssh-config it will show which key it is using. It does not normally use the .vagrant.d/insecure_private_key but a key in the project directory like .vagrant/machines/default/virtualbox/private_key.
If you specify that key in the MySQL connection panel you should be able to logon without having to add another key to the vm.
Regarding error you mention in comments:
When using ssh you don't specify port like this
ssh 127.0.0.1:2222
You must use option -p
ssh 127.0.0.1 -p 2222
After some googling, I got it working by adding my ssh public key to vagrant authorized_keys file. Steps Below.
generate ssh keys for your machine
copy your public key from /home/{username}/.ssh/id_rsa.pub file
open vagrant ssh in termial
use some editor to edit /home/vagrant/.ssh/authorized_keys(eg: nano /home/vagrant/.ssh/authorized_keys)
paste your public key to the end of that file and save
done!