I've been banging my head for a few days on this and I'm really at the end of my rope...
I'm trying to set up SSL connections on MySQL 5.7.10 running on ubuntu 14.04 and no matter what I do, the user required to use SSL is always rejected with access denied when trying to connect.
I was able to set up SSL easily on Windows (our dev machines) but for the love of me cannot get it to work on Linux.
I tried to use the certificates provided when installing MySQL (located in the /var/lib/mysql directory). I also tried to generate new ones using this procedure. I even tried to import the certificates that I generated using MySQL Workbench on Windows (the ones that actually worked on windows) but nothing works.
When starting up MySQL, SSL seems to be okay, as I only get this in /var/log/mysql/err.log
2015-12-17T18:25:32.687582Z 0 [Warning] CA certificate /var/lib/mysql/ca.pem is self signed.
SSL is ON in MySQL
mysql> SHOW VARIABLES LIKE '%SSL%';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
I've put the paths to the server and client certificates in the /etc/mysql/my.cnf
[client]
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
[mysqld]
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
I even tried to disabled appArmor for mysql in case that would do it, bot I alwas get the sema result when trying to connect a test user requiring ssl as such:
CREATE USER 'test'#'localhost' IDENTIFIED BY 'test';
GRANT USAGE ON *.* TO 'test'#'localhost' REQUIRE ssl;
FLUSH PRIVILEGES;
When trying to connect:
> /usr/bin$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'#'localhost' (using password: YES)
Same thing when manually specifying the client certificates:
> mysql --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --host=localhost --user=test --password
Enter password:
ERROR 1045 (28000): Access denied for user 'test'#'localhost' (using password: YES)
Does anybody have any idea? I fail to see why a setuyp that works fine on windows would give me such grief on linux.
Is there a way to debug this further?
Thansk in advance
/Sebas
My test:
error.log:
[Warning] CA certificate ca.pem is self signed.
$ sudo mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT VERSION(); -- MySQL Community Server
+-----------+
| VERSION() |
+-----------+
| 5.7.10 |
+-----------+
1 row in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.00 sec)
mysql> CREATE USER 'test'#'localhost' IDENTIFIED BY 'test' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'#'localhost' (using password: YES)
$ mysql -u test -p --ssl
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> SHOW SESSION STATUS LIKE '%Ssl_version%';
+---------------+---------+
| Variable_name | Value |
+---------------+---------+
| Ssl_version | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)
UPDATE: The test details.
mysqld.cnf:
[client]
...
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
[mysqld]
...
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
Yes, certificates are auto-generated by MySQL. See 6.3.13 Creating SSL and RSA Certificates and Keys. Check the security permissions to access the certificates.
error.log:
[Warning] CA certificate /var/lib/mysql/ca.pem is self signed.
$ sudo mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT VERSION(); -- MySQL Community Server
+-----------+
| VERSION() |
+-----------+
| 5.7.10 |
+-----------+
1 row in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
9 rows in set (0,01 sec)
mysql> CREATE USER 'test'#'localhost' IDENTIFIED BY 'test' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'#'localhost' (using password: YES)
$ mysql -u test -p --ssl
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> SHOW SESSION STATUS LIKE '%Ssl_version%';
+---------------+---------+
| Variable_name | Value |
+---------------+---------+
| Ssl_version | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)
Related
I can change the password of root#localhost user from auth_socket ==> mysql_native_password, but other users can not change to mysql_native_password;
mysql.session, mysql.sys, debian-sys-maint and phpmyadmin (when I installed phpmyadmin mysql said: ERROR 1819 (HY000) at line 1 error so I couldn't create a record in the database)
I want all users to be able to change mysql_native_password from chancing_sha2_password plugin because; if I can't change plugin methods; I can't use phpmyadmin or other 3 party app.
(mysql said:ERROR 1819(HY000) at line 1)
+------------------+-------------------------------------------+-----------------------+-----------+
| user | authentication_string | plugin | host |
+------------------+-------------------------------------------+-----------------------+-----------+
| root | *91EA82EFAD0677E20FDAEC7F11E15244530996F6 | mysql_native_password | localhost |
| mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost |
| debian-sys-maint | *70B3E55DA437B329F2F1A90C66719B666CBF4B9E | caching_sha2_password | localhost |
+------------------+-------------------------------------------+-----------------------+-----------+
4 rows in set (0.00 sec)
i fixed!!!
firstly;install phpmyadmin and add to apache2 and login mysql password.
On the phpmyadmin screen, the mysql password will give an error, but accept the statement and complete the setup. Then type the following code in the mysql command window!
so far
ALTER USER 'phpmyadmin'#'localhost' IDENTIFIED WITH mysql_native_password BY 'TestPassword123*-';
I'm trying to use grafana with mysql. MySql is getting data from wordpres. I can connect to the MySql database with grafana but any attempt to query the database results in a permission error quoted below. Does anyone know what I'm doing wrong? I made sure to FLUSH PRIVILEGES; when creating this account.
What account is being used?
mysql> SELECT USER(),CURRENT_USER();
+-------------------+-------------------+
| USER() | CURRENT_USER() |
+-------------------+-------------------+
| grafana#localhost | grafana#localhost |
+-------------------+-------------------+
1 row in set (0.00 sec)
What permissions does the account have?
mysql> show grants for 'grafana'#'localhost';
+------------------------------------------------------------------------+
| Grants for grafana#localhost |
+------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'grafana'#'localhost' WITH GRANT OPTION |
+------------------------------------------------------------------------+
1 row in set (0.00 sec)
Can I select from a table? (Yes)
mysql> select * from wp_users;
+----+---------------+------------------------------------+---------------+---------------------------+----------+---------------------+-----------------------------------------------+-------------+---------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+---------------+------------------------------------+---------------+---------------------------+----------+---------------------+-----------------------------------------------+-------------+---------------+
| 1 | admin | ********************************** | admin | a.guy#place.com | | 2019-02-22 18:09:58 | | 0 | something |
+----+---------------+------------------------------------+---------------+---------------------------+----------+---------------------+-----------------------------------------------+-------------+---------------+
1 row in set (0.00 sec)
What is my mysql info?
mysql> status
--------------
mysql Ver 14.14 Distrib 5.7.25, for Linux (x86_64) using EditLine wrapper
Connection id: 42787
Current database: information_schema
Current user: root#localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.25-0ubuntu0.18.04.2 (Ubuntu)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: utf8
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 43 days 2 hours 29 min 53 sec
Threads: 3 Questions: 3576291 Slow queries: 0 Opens: 1570 Flush tables: 1 Open tables: 692 Queries per second avg: 0.960
--------------
What query am a trying to run in grafana?
SELECT
user_registered,
user_login
FROM wp_users
I tried with with and without a trailing ; - no change.
What does grafana give back to me with this query?
Error 1142: SELECT command denied to user 'grafana'#'localhost' for table 'wp_users'
I realize that this account has too many permissions, but seeing as grafana thinks it doesn't have enough, for now I'm trying to get it to work with at least more than it needs.
After being stumped by this for a few hours, the notion of looking at logs was suggested to me. Since MySql doesn't have logs enabled by default, I changed the settings to enable the logs and restarted MySql. After doing this everything worked fine. It seems all I had to do was to restart the service.
The solution:
sudo service mysql restart
I am trying to load some data from MySQL to Grafana, but got the following error. Any idea what I missed? Thanks!
Its happends couse grafana don't maintain the new mysql authorization method named caching_sha2_password. Sinse mysql 8 its default setting.
To solve this problem you need just to create new user with mysql_native_password authentication plugin connector.
Step 1. Check the available users and its plugins.
MySQL [localhost+ ssl] SQL> select user, plugin from mysql.user;
+------------------+-----------------------+
| user | plugin |
+------------------+-----------------------+
| pi | caching_sha2_password |
| mysql.infoschema | caching_sha2_password |
| mysql.session | caching_sha2_password |
| mysql.sys | caching_sha2_password |
| root | caching_sha2_password |
+------------------+-----------------------+
6 rows in set (0.0011 sec)
All the users has caching_sha2_password authorization plugin.
Step 2. Open the mysql workbench and connect to database.
Execute the query
CREATE USER 'native_user'#'localhost' IDENTIFIED WITH mysql_native_password;
The result must be like this one
09:30:17 CREATE USER 'native_user'#'localhost' IDENTIFIED WITH mysql_native_password 0 row(s) affected 0.156 sec
Step 3. In mysql workbench open server -> users and privilegas
Select native_user form the list. Change the password, default shema and shema privilegas for this user. Save the changes.
Step 4. Check with mysql shell
MySQL [localhost+ ssl] SQL> select user, plugin from mysql.user ;
+------------------+-----------------------+
| user | plugin |
+------------------+-----------------------+
| pi | caching_sha2_password |
| mysql.infoschema | caching_sha2_password |
| mysql.session | caching_sha2_password |
| mysql.sys | caching_sha2_password |
| native_user | mysql_native_password |
| root | caching_sha2_password |
+------------------+-----------------------+
6 rows in set (0.0011 sec)
Step 5. Open the grafana datasouces and set up new user.
Good luck!
P.S. I cant create a new user with mysql_native_password using mysql workbanch. Maybe its bug. Use command prompt instead.
Thanks. Below works as well. No need to create a new user.
select user,plugin from mysql.user;
alter user root#'localhost' identified with mysql_native_password by 'my_password';
select user,plugin from mysql.user;
In postgresql all you needed to do was type in postgres <database_name>
to access the database. In MySql, you need to do this:
mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 52
Server version: 5.7.20 Homebrew
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use arthouse_development
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from catalog_items;
Empty set (0.00 sec)
mysql> select * from catalog_items
-> ;
Empty set (0.00 sec)
mysql> select * from users;
Empty set (0.01 sec)
mysql> select * from users
-> ;
Empty set (0.00 sec)
Is there a way to not have to specify the user name and specify the database all in one line?
How do you see all the tables in mysql once inside the database?
Use the -D option of the program mysql the default login with a database.
The -p option let's you enter a password into the mysql program
C:\Program Files\MySQL\MySQL Server 5.7\bin>mysql -u root -p -D stackoverflow
Enter password: **
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.7.20-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Confirm we are using the database stackoverflow.
mysql> select database();
+---------------+
| database() |
+---------------+
| stackoverflow |
+---------------+
1 row in set (0.00 sec)
How do you see all the tables in mysql once inside the database?
mysql> show tables;
+-------------------------+
| Tables_in_stackoverflow |
+-------------------------+
| baskets |
| baskets_fruits |
| conditions |
| employee |
| employees |
| hugetable |
| kanji |
| newtable |
| result |
| t1 |
| t2 |
| table1 |
| table_test |
| temp |
| test |
| testing |
| word |
+-------------------------+
17 rows in set (0.00 sec)
Or by using information_schema.TABLES table
mysql> SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'stackoverflow';
+----------------+
| TABLE_NAME |
+----------------+
| baskets |
| baskets_fruits |
| conditions |
| employee |
| employees |
| hugetable |
| kanji |
| newtable |
| result |
| t1 |
| t2 |
| table1 |
| table_test |
| temp |
| test |
| testing |
| word |
+----------------+
17 rows in set (0.00 sec)
Other answers mention the --database / -D option, but you don't even need that.
https://dev.mysql.com/doc/refman/5.7/en/mysql.html shows the simpler example:
Using mysql is very easy. Invoke it from the prompt of your command
interpreter as follows:
shell> mysql db_name
In other words, exactly like the usage you showed for postgres <database_name>.
You may also need to supply username and password to authenticate for the MySQL instance, but I prefer to put those into an option file so I don't have to type them repeatedly.
$ cat ~/.my.cnf
[client]
username = scott
password = tiger
See https://dev.mysql.com/doc/refman/5.7/en/option-files.html for more on these files.
There's also an optional way to store the user credentials encrypted. For this https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html
Any software is easier to use if you try reading a little bit of the documentation! :-)
Using man mysql to view the mysql manpage you'll find the -D flag:
ยท --database=db_name, -D db_name
The database to use. This is useful primarily in an option file.
I've read a lot of answers for this question, but didn't found the resolve.
I have an mysql server on Azure (ex. 13.25.147.140).
my.cnf:
[mysqld]
# bind-address=127.0.0.1
init_connect= ^`^xSET collation_connection = utf8_unicode_ci ^`^y
character-set-server = utf8
collation-server = utf8_unicode_ci
[client]
default-character-set = utf8
Then, I did sudo service mysql restart
Then, granted permission for root:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'57.26.24.157' IDENTIFIED BY 'password' WITH GRANT OPTION;
mysql> SELECT user, host from user;
+------------------+--------------+
| user | host |
+------------------+--------------+
| root | % |
| root | 57.26.24.157 |
| debian-sys-maint | localhost |
| mysql.sys | localhost |
| paymon | localhost |
| phpmyadmin | localhost |
| root | localhost |
+------------------+--------------+
But when I tried to connect from my PC, I got this:
mysql -u root -p -h 13.25.147.140
Enter password:
ERROR 1045 (28000): Access denied for user 'root'#'57.26.24.157' (using password: YES)
How can I fix that?
By default, mysql disallow root login remotely, it is a security precaution.
If you want to use root to login remotely for some test, we can use this command to modify it:
[root#jasonvm etc]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.73 Source distribution
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select host, user from user where user="root";
+-----------+------+
| host | user |
+-----------+------+
| % | root |
| 127.0.0.1 | root |
| localhost | root |
+-----------+------+
3 rows in set (0.00 sec)
mysql> grant all privileges on *.* to 'root'#'%' identified by 'password' with grant option;
Query OK, 0 rows affected (0.00 sec)
Another VM to use root to login mysql:
[root#localhost ~]# mysql -u root -p -h 40.71.33.231
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>