I've setup a MySQL server v5.5.41 for SSL and I'm to trying to connect it remotely. I've created the SSL certs, keys, created a user and granted privileges like this:
GRANT SELECT ON mydb.* TO 'myuser'#'xxx.xxx.xxx.xxx' require x509;
I've updated the my.cnf file on the server like:
ssl-ca = /etc/mysql/certs/ca.pem
ssl-cert = /etc/mysql/certs/server-cert.pem
ssl-key = /etc/mysql/certs/server-key.pem
I've done the same with the client pem files (and ca.pem), adding them to my.cnf (under the client section). I've also updated (Linux) /etc/apparmor.d/usr.sbin.mysqld since I'm putting my pem files in a new directory that I created (certs).
And it all works! Except when I repeat the process of creating client pem files and user/privileges for my local development machine. I've done everything exactly the same, but when I try to connect, I get:
ERROR 1045 (28000): Access denied for user 'testuser'#'xxx.xxx.xxx.xxx' (using password: YES)
I've created the testuser on the mysql server and granted privileges in exactly the same way as before (verified by querying the DB). The client pems and ca.pem are on the box, and the cnf file has been updated. I've restarted MySQL. The password I'm using to connect to the server is definitely correct.
The only thing I can think of that's different is when I was creating the client cert, I didn't know what to put in for the Common Name. In the other case, where it's working, that machine is a web server, so the Common Name I used is the domain. For my development machine, I just used what I got from running the hostname command for the Common Name. If this is the problem, what should the Common Name be?
The reason for the problem was because I accidentally put these lines:
ssl-cert = /etc/mysql/certs/client-cert.pem
ssl-key = /etc/mysql/certs/client-key.pem
...on my local development machine under the [mysqld_safe] section instead of the [client] section in my.cnf, so there's no inherent MySQL or SSL issue here (although if I hadn't written up this question it might have taken me a lot longer to discover that).
Related
My localhost is running MariaDB 10.6.7 on Win64.
I am trying to force SSL when connecting to MariaDB.
I test the connection using MySQL Workbench 8.0.
To enable the SSL, I did the following:
I generate self signed certificate, then in my.ini, I set the following:
[mysqld]
datadir=C:/xampp/MariaDB 10.6/data
port=3306
innodb_buffer_pool_size=1009M
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/server-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/server-key.pem
[client]
port=3306
plugin-dir=C:/Program Files/MariaDB 10.6/lib/plugin
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/client-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/client-key.pem
To force SSL, I set the user in MariaDB to require SSL.
Unfortunately, with this configuration, I can still connect to MySQL without using any certificate. How can I force MariaDB to force SSL or FAIL?
My second question, I have a suspicion that my configuration is actually for setting using Require X509. Is this the case? If yes, how can I set it up to just use Require SSL?
Last, having the certificate set in my.ini, prevent me from connecting to mysql via the regular way, that is: mysql -u root. I got the following error:
ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing
the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN).
I have tried to use the following command, mysql --ssl-ca=[directory]\client-cert.pem -u root, without success. I got the same error as above. Any idea?
If you have a reference page or any kind of insight, that would be appreciated.
Thanks.
When creating a user, you need to add the require parameter, which can be x509 or ssl.
take for example
create user itpuxs2#'%' identified by 'root' require x509;
create user itpuxs3#'%' identified by 'root' require ssl;
From my test in Win64, the ssl-ca, ssl-cert, ssl-key under [client] is not required for "Require SSL". This settings were also the reason why I could not login using "mysql -u root".
I use MySQL Workbench to test my connection to MariaDB. From my testing, even though I did not provide any certificate, as long as the server have certificate for SSL, then the connection would be encrypted (Require SSL). Having said that, I did try to provide a ca-cert.pem, but it did not work. From my research in google, it seems that this may due to the SSL Library used in MariaDB. The SSL library may be different for different distribution.
As for the X509, I was able to get it working in Linux. I did this once and was not doing further testing since I am working in windows at the moment.
I have a database located on a server and it is working correctly. I can access it from the local server and using phpmyadmin from any server connected to the network.
I would want to use Workbench in order to use its functions but I have tried a lot of possibilities and I'm not able to connect from it.
I have found a lot of solutions but anyone could not help me. For this reason, I'm trying to find someone who can help me with this.
First of all, I want to explain that this database is accessible from phpmyadmin (as I said before) and from webserver (I use database in my web application) so, the trouble of denied remote access is discarded. (with user root)
Furthermore I have looking for the problem and in the log of database server I have could find this:
error: connect to 127.0.0.1 port 3306 failed: Permission denied
channel_by_id: 0: bad id
I have tried to use Workbench with TCP/IP with the IP of the database server by port 3306 and with SSH connecting to webserver (this step is running correctly) and connecting to database with local IP and port 3306.
Furthermore, I have checked if port 3306 was closed and it is opened.
The config (my.cnf) is this:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
max_allowed_packet=1024M
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
I know that this config is not usual but I have not installed it and I would not want to touch a lot because it is working now and a lot of people is using it.
I have tried too to edit hosts.allow adding the line mysqld: all but it did not work.
What can be the problem? Thanks for your help.
(I have checked Stackoverflow's posts too and I have not been able to find a solution)
you need to configure your mysql to allow remote login. then you can either specified your ip or wildcard * to allow all ip to access the mysql database.
this is the command to grant remote access.
Log in to the database server.
Connect to the MySQL database as the root user.
Enter the following command:
GRANT ALL ON <local database name>.* TO <remote web node username>#<remote web node server ip address> IDENTIFIED BY '<database user password>';
For example,
GRANT ALL ON magento_remote.* TO dbuser#192.0.2.50 IDENTIFIED BY 'dbuserpassword';
I have followed the steps here:
ERROR 1130 (HY000): Host '' is not allowed to connect to this MySQL server
Carried out this activity dozens of times and it worked -- now for some reason it is not
I have done:
Comment out bind-address in my.cnf and restart service
GRANT ALL PRIVILEGES ON . TO 'root'#'%';
FLUSH PRIVILEGES;
The only difference here is that MySQL is running in a VM under VirtualBox and I am connecting to the VM mysql instance via WIndows 7.
SSH and other services work fine...
The passwords are fine as they work when I connect via SSH...
My new modem/router possibly at fault, blocking outgoing or ingoing connections on port 3306???
I assume that traffic from a host to guest still goes through the router...but the thing is...my requests are certainly making to the MySQL server as the log file shows fail requests...
WTF amm I missing???
The error I receive: Error No. 1045
Access denied for user 'root'#'my-desktop' (Using Passowrd: YES)
You also have to edit my.cnf. Change:
bind-address = 127.0.0.1
to
#bind-address = 127.0.0.1
then restart mysql. Also, if you are going to allow outside access, create a user other than root. That's always a bad idea.
By default connection from outside are not allowed for security reasons.
Because exposing your database to the public internet is never a good idea, you will need to whitelist the IP address manually to allow connection.
I want to connect my Django app (hosted on a VPS) to a database hosted on another server with more memory, so I can run stuff and add things to the database without the risk of it getting killed for using too much memory on my VPS. The things I've seen about this (e.g., How to connect to MySQL server on another host?) all involve editing my.cnf and changing the bind-address line. I a)don't have root privileges to do this, and b)don't want to expose other users' MySQL dbs to potential security risks. I tried editing ~/.my.cnf to change the bind-address thing, but that doesn't seem to work.
I also found http://www.rackspace.com/knowledge_center/article/mysql-connect-to-your-database-remotely, which suggests creating 'user'#'remote-ip-address' and then granting that user permissions. I tried that, but I keep getting ERROR 2003 (HY000): Can't connect to MySQL server on '(the server's address)' (110) when I try mysql -u username -p -h (the server's address).
I have access to the root user for MySQL, but no other admin privileges on the server where I want to set up the database. Is there any way to configure things so Django can access this remote db without directly editing /etc/mysql/my.cnf?
The bind-address doesn't specify which IPs can connect to that server, but which address is MySQL listening to. So, just set it to 0.0.0.0 and it will work. Please make sure you've got a user account with that address. Check mysql.user table.
Addressing the root-access thing:
* If you installed mysql manually, you've got root access.
* If you didn't install mysql manually, but it's a service provided by the VPS hosting, then the bind-address should be 0.0.0.0 (or at least not 127.0.0.1). If it's not the case, contact them because they're screwing up pretty bad.
Hope it helps.
EDIT, CLARIFICATION:
MySQL bind-address is not a security constraint. If you want to allow some addresses to connect to the server you should create/grant users with the that address specified, like this
CREATE USER 'bobdole'#'192.168.10.221';
Rather hacky, but I think this should be possible with MySQL Proxy listening on an unprivileged port on the public IP, proxying all queries to the mysqld which is running locally.
I'm stuck at the seemingly simple task of connecting remotely to MySQL. I inherited the server, so don't know how it was installed. Took a look at /etc/my.cnf (the only my.cnf on the system as far as I can tell) and found
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
The error I get is
"Unable to connect to host 123.456.789.000 because access was denied. Double-check your username and password and ensure that access from your current location is permitted. MySQL said: Access denied for user 'my_user_name'#'098-765-432-111-mydomain.com' (using password: YES)"
Things I've done:
I added bind-address = 0.0.0.0 to my.cnf and restarted the server. No luck.
Telnetted to the server on port 3306. Got mishmash of text back, which tells me the port is accessible.
Stopped the server and tried to connect again (to see what error I would get). Surprisingly, didn't get a timeout - got the same error as above.
Here's what SELECT User, Host, Password FROM mysql.user WHERE user = 'web_app_user';
+--------------+-----------------------+------------------+
| User | Host | Password |
+--------------+-----------------------+------------------+
| web_app_user | % | 54b4540f7c238486 |
+--------------+-----------------------+------------------+
I've had the same problem long ago, i was caused because my user didn't have the remote right, basically when you log in MySQL you log as username#localhost, but when you are remoting it'll be username#your-isp.com, you need to create a user named username#your-isp.com and use the GRANT method to give him the correct right, this can all be done via phpmyadmin but sadly I can't remember where...
A lot of times, a login is limited to be a local connection. You need to take a look at the user permissions and will likely need to add a record allowing that login and password to connect from a remote location.
On my web servers, I always limit the login to being from localhost, for security purposes.