I have created a ssl follow:
https://cloud.google.com/sql/docs/configure-ssl-instance
And read this document:
https://cloud.google.com/sql/docs/mysql-client#connect
After I created a new mysql instance and download the three pem files to local. I want to connect to that server:
mysql -u<USERNAME> -p -h <IP_ADDRESS> --ssl-ca=/local/path/to/server-ca.pem --ssl-cert=/local/path/to/client-cert.pem --ssl-key=/local/path/to/client-key.pem
And type the password, again it said:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0
Why?
Did you follow the instructions under the heading "Grant access to your instance? It links to another document that explains how to add IP addresses to Authorized Network list of your Cloud SQL instance. Even when using SSL certificates you must add the IP address as an Authorized Network.
Related
So, I have a Kubernetes pod that executes a script. This script tries to connect to a MySQL server, but I get the message Can't connect to MySQL server on 'x.x.x.x' (110). Every traffic in the subnet that contains the addressed IP is prevented. That's why I set up a network policy (type: Egress), but it still doesn't work. Do you know why?
I have an existing PHP service running on a Compute Engine VM Instance and a Google Cloud SQL service.
After I login to the VM and run this command
mysql -h <IP> <db> -umyuser -p
I can connect to the mysql instance with no problem.
However, if I try to use socket
mysql -h localhost --socket=/home/forge/.gcp/cloudsql/proxy/socket/project:region:production
I get this error
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 95
This is an existing setup and I am not very familiar with GCP. But, this was working until yesterday after which it started to fail with this error
Did I miss any configuration change?
I created a fresh instance of google sql with mysql 5.7. I also had to create a client certificate as well as reset the root password to something known and secure.
If I disable "Only allow secure connections" and I log in from the cli then I can connect with the password.
mysql -uroot -p -h x.x.x.x
But, i like secure connections. So connecting via ssl (enabling ssl connections and using the downloaded certs) is unable to connect.
mysql -uroot -h x.x.x.x --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
with this error
mysql: [ERROR] SSL error: Unable to get certificate from 'client-cert.pem'
ERROR 2026 (HY000): SSL connection error: Unable to get certificate
If I try and connect via ssl in mysql administrator, I get this error:
The certs were created by the google console and am trying to connect how the example command tells me to connect. So I cannot for the life of me figure out why I cannot connect.
It seems that when creating a client certificate, Google Cloud is putting the CRT inside the client-key.pem and the KEY inside the client-cert.pem.
Does it work if you try the following?
mysql -uroot -h x.x.x.x --ssl-ca=server-ca.pem --ssl-cert=client-key.pem --ssl-key=client-cert.pem
I will preface by saying I can connect to the DB instance when I'm not trying to go over SSL.
I am following this guide here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html
I have ensured the db instance is public facing.
The security group of the VPC has the following rules:
Type Protocol Port Range Source
MySQL/Aurora (3306) TCP (6) 3306 my_ip_address/32
MySQL/Aurora (3306) TCP (6) 3306 sg-security_group_name
Where the security_group_name is the security group for my EC2 cluster.
I am using the cluser endpoint of my aurora cluster. And I've removed the port. I installed mysql on my machine using homebrew. This is the command I am trying from my local machine (macbook):
mysql -h blah-database-cluster.cluster-dfgdgfd.us-east-1.rds.amazonaws.com --ssl-ca=rds-ssl-ca-cert.pem --ssl-verify-server-cert
Where rds-ssl-ca-cert.pem is the file I downloaded from here:
http://s3.amazonaws.com/rds-downloads/rds-ssl-ca-cert.pem
I get the error:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
I have tried creating a new instance, rebooting etc and no joy. Does my security group need some kind of https rule?
Edit:
Further clue. When I run mysql --ssl locally it doesn't error. But when I do mysql show_variables, it says SSL false and the have_ssl and have_open_ssl variables don't exist. Could this be the problem? I installed the local mysql via homebrew package manager for mac.
New edit:
I re-installed mysql (previously from brew) and now direct from oracle and when I try to connect it gives a different error - SSL connection error: ASN: bad other signature confirmation
At present the AWS Aurora documentation is linking to an out of date SSL certificate to use, hence the problem. This has been confirmed by the AWS support staff. Use this instead: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Even when using that certificate, connecting to the cluster end-point over SSL still doesn't work for the command line using mysql -h connection. If I change from the cluster end-point to the instance end-point strangely it works.
Bizarrely, mysql workbench does connect over ssl, both to the instance end-point AND the cluster-end point.
Use mysql with --skip-ssl option if you not using SSL.If nothing helps upgrade your mysql client
From the docs it appears the restriction to the instance endpoint for SSL connections is a security constraint associated with the certificate.
Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. As a result, you cannot use the DB cluster endpoint to connect to the primary instance of the DB cluster using SSL.
FYI
please try using this key as well (from Amazon docs)
https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
For me I had to use:
mysql --ssl-mode=DISABLED -u [USER] -p[PASSWORD] -h [HOST] [DB]
I don't know if this is a user error on my end, or if the remote server is configured incorrectly.
I was given some connection info for a server as follows:
Server IP
server username
keyfile
mysql user
mysql password
and I can shell in and run the "mysql" command with the mysql user and password I was given, but I can't setup a connection in either MySQL Workbench or in HeidiSQL.
In MySQL Workbench, the 'Standard TCP/IP over SSH' seemed to best fit the info I was given, but when I try to connect I get "Authentication error. Please check that your username and password are correct and try again." or "Authentication error opening SSH tunnel: Authentication error. Please check that your username and password are correct and try again." in the logfile.
In HeidiSQL the "MySQL (SSH tunnel)" seemed to best fit the info I was given, but when I try to connect there, I get "Lost connection to MySQL server at 'reading initial communication packet', system error:0"
I looked up both these errors and couldn't find anything for the first one, and the second one seemed to be more about server configuration. I'm not too savvy with server config, so I'm a bit stuck evaluating whether or not I'm doing something wrong on my end, or if something needs to be changed on the server. I'd appreciate some advice. Thanks!
You must be more specific about the credentials you got. Is "server IP" the IP address of the MySQL server or an SSH server? Is the "server username" the SSH user or something else (e.g. a regular user of the target machine)? In my tutorial video on Youtube I explained what you have to use where to create a connection, including SSH connections: https://www.youtube.com/watch?v=DCgRF4KOYIY
You have to check a couple configuration steps before you can perform a remote mysql connection:
First of all you must check that mysql default port(3306) is listening on the correct interface.
You can check this out using netstat command in the remote server:
# netstat -tulnp
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1111/mysqld
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
Then you must check that the remote host is allowed to perform querys into mysql engine (you must check user and host permissions over your database).
Connect into terminal and run the following command in mysql prompt:
mysql> select user,host from mysql.user;
Check the following link to deep insight mysql user and hosts system:
https://dev.mysql.com/doc/refman/5.0/en/adding-users.html
Check user,host permissions over your database:
mysql> show grants for root#localhost;
https://dev.mysql.com/doc/refman/5.1/en/grant.html
You must check that remote host (client) exist for example: user#192.168.1.2
Finally if you are using putty to encrypt over ssh you connection please check that you rsa key fingerprint is added you can perform this just logging ssh using you putty client.