Mysql2::Error (SSL connection error: ASN: bad other signature confirmation):
I am making an administration site. The environment is Rails 4.2 and Ruby 2.2, connecting AWS RDS with Heroku server.
I don't know why getting this error. It suddenly appeared. I can't find any errors other than this. Although I passed my codes two days ago, I got this error this time.(I haven't touched this code while the two days.)
How can I solve this problem?
For me, this had to do with the RDS SSL Certificate Rotation that happened on April 3rd, 2015.
However, in my case, just using the root certificate did not work, and I had to use a intermediate certificate for my region as well. Details:
Go into the AWS rds console and reboot your RDS instance.
Download the new root certificate https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem. Put it into the config directory of your app.
Download the intermediate certificate for your database region
here. I had to use the US east one, but you will have to pick the one for your region.
This is the key step. You need to combine the intermediate certificate and the root certificate into one file so that the intermediate certificate is above the root certificate, forming a certificate chain. Open the intermediate certificate using a text editor, copy its contents, and paste them into config/rds-ca-2015-root.pem, on top, above the root certificate. So, after you are done, config/rds-ca-2015-root.pem should be the intermediate certificate followed by the root certificate, all in this file.
Get your current database url
heroku config
and then look for the DATABASE_URL property
Update your database URL to use the new certificate file. All you should have to change is the name of the certificate (since its now called
rds-ca-2015-root.pem)
heroku
config:add DATABASE_URL="mysql2://DB_NAME:DB_PASSWORD#DB_URL/DB_NAME?sslca=config/rds-ca-2015-root.pem"
Commit the changes and redeploy to Heroku.
Four years later (2019) and AWS are rotating CA certs again, as expected.
RDS users are recommended to switch from the 2015 cert to the 2019 cert by 2019-11-01, and "no later than" 2020-02-05. The 2015 certificates expire on 2020-03-05.
I used the following procedure, based on RDS' Rotating Your SSL/TLS Certificate guide.
Schedule downtime
Download new certificates, save in config
Only the root cert is needed: rds-ca-2019-root.pem
The instructions mention a 2015+2019 bundle, but I couldn't find it. This file is 2019 only.
Region-specific intermediate certs are not needed
Commit, but don't deploy yet
heroku maintenance:on
In RDS web console, modify server
In the Network & Security section, choose rds-ca-2019
Apply changes immediately
Scale dynos down to 0
heorku config:set DATABASE_URL=mysql2://myuser:mypassword#myhost.rds.amazonaws.com/mydb?sslca=config/rds-ca-2019-root.pem
Deploy
Scale dynos up, watch logs
heroku maintenance:off
There are many reasonable variations on this procedure, this is just what worked for me.
Related
Any help or hint would be greatly appreciated it!!
I have windows 11 Pro.
I installed openshift.
I did "crc setup" and I did "crc start":
INFO Adding crc-admin and crc-developer contexts to kubeconfig...
ERRO Cannot update kubeconfig: x509: certificate has expired or is not yet valid: current time 2022-05-24T00:01:26-04:00 is after 2022-01-13T22:29:55Z
Started the OpenShift cluster.
The server is accessible via web console at:
https://console-openshift-console.apps-crc.testing
I get the following error when I tried to login:
C:\Users\Albert Lam>oc login -u developer https://api.crc.testing:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): n
error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
C:\Users\Albert Lam>oc login -u developer https://api.crc.testing:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
I had the same problem and it was caused by an old certificate that was expired and had nothing to do (VMware one) with Openshift.
I've found the problem by viewing the certificate inside my chrome browser after navigating to https://console-openshift-console.apps-crc.testing.
The correct certificate should have *.apps-crc.testing as CN, but mine has another one.
I suggest you to find the wrong certificate and delete it if expired.
On windows, for VMware you can find it inside C:\ProgramData\VMware\SSL.
On Windows you can look for certificates by using the "manage certificates" app.
I have a MySLQ running on a CentOS server with SSL enabled and it require SSL in order to connect to the databases. I created the certificates and keys using OpenSSL, getting this files:
ca.pem
ca-key.pem
client-cert-pem
client-key-pem
server-cert.pem
server-key.pem
Setup MySQL with this:
ssl-ca=/etc/certs/ca.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
bind-address=*
require_secure_transport=ON
I created a user that require X509 on the MySLQ by using:
CREATE USER 'user'#'%' IDENTIFIED BY '<password>' REQUIRE X509;
Testing with the MySQL client console and MySQL Workbench providing the client certs and it works fine. Also works on a Java App that writes/reads the databases by importing certifitates to the keytores/trustores.
However, I cannot set up Power Bi Desktop version to connect to the MySQL server. I imported the certificates to the Trusted Root Autenticathion Authorities and a PKCS12 keystore and trustore (used also by the Java App). This image shows the certificate. It is in Spanish, but it says it has also the key and it is verified by the ca.pem.
This is according to the documentation, but the documentation about this is very old and very limited. Some of the process and/or tools are out of date.
This are the sources I could find:
https://github.com/Microsoft/PowerBI-visuals/blob/master/tools/CreateCertificate.md#generate-certificate-manually
https://github.com/Microsoft/PowerBI-visuals/blob/master/tools/CertificateAddWindows.md
https://powerbi.microsoft.com/es-es/blog/ssl-security-error-with-data-source/
However there is not much more info about how to properly connect (or I cannot find it).
The message I get on Power Bi is "We were unable to authenticate you with the credentials provided. Try again."
I must add that disabling SSL allows me to connect to the databases using Power Bi, without any issue, it is the SSL what doesn't work as I don't know how to properly provide the certificates and I cannot find anything that decribes the process.
Going around in circles. Please help, I enter http://localhost into safari on my mac and receive: It works!
However, I cannot figure out how using MySQL workbench I can find the URL. I am looking to code JSON in xCode to retrieve data from my local MySQL database, however, I do not even know the URL to access it.
My port is on 3306. I have tried http://127.0.0.1:3306 - and get a failed to open.
Do I need myphpadmin or can I go direct to MySQL?
I have tried saving a copy of MyPhPAdmin under Users>MyUserName> but this did not work when I ran: http://localhost/myphpadmin
Should the file be saved elsewhere? When I worked on Python weeks ago I run it under a different location then was recommended (Under the Python X.X cache folder) whereas online people simply ran it from their Users>MyUserName> folder. I am on the latest Catalina OS X.
Tried http://localhost/usr/local/mysql-8.0.20-macos10.15-x86_64/phpmyadmin/ - 404 not found
With MySQL, you can connect via localhost "socket" or networking "TCP/IP" connections. The user accounts in MySQL exist separately from each other, so if your user account exists with host value 'localhost' the TCP/IP connection probably won't work for you. Also note that, depending on how you installed MySQL and how it's configured, it might not even listen for network connections. Normally, localhost is preferred if you are on the same machine.
In MySQL Workbench, you need to give the hostname or IP address when selecting "Standard (TCP/IP)" from the "Connection Method" dropdown. This is simply the hostname or IP address, not a complete URL or web site. So you'd set the hostname to "127.0.0.1" or "192.168.9.34" or whatever. Again, Local Socket/Pipe is usually a better choice in most cases.
MySQL uses its own networking port (3306) and communication protocol, so using http://127.0.0.1 is incorrect as it isn't using the http protocol. Likewise, if you would need to change the port for some reason, specify that in the port field rather than as a part of the hostname.
As for phpMyAdmin, you would install that to a folder that is handled by your web server, then access it through the URL/path exposed by the web server — by default, your user home directory is not shared to the web (and rightly so, I don't want all of my documents and files shared with the world!). Put the phpMyAdmin folder in your web root and you'll have better success. Which folder that is probably depends a lot on which webserver you are running, how it is installed, and how you configured it.
I won't comment on the Python scripts you've run in the past, as my experience with serving Python to the web requires adjusting some settings in my nginx configuration and I won't want to confuse you compared to the tutorials you're following.
Is there any integration for Let's Encrypt in OpenShift (or, is this planned)? Let's encrypt are going to issue certs that expire in 90 days[1] -- and a big part of their plan is to have automation setups via people who use their certs so that they're always updated with new certs. Given this, some integration from OpenShift would be necessary.
Thanks,
[1] https://letsencrypt.org/2015/11/09/why-90-days.html
Currently, the ability to automate ssl certificate renewals and installation on OpenShift Online is not possible because the ssl certificates are stored at the node level, and ssl connections are terminated by the node level proxy (Reference this). If you would like to see it included in future versions, you should vote here and get people to vote on it. It's possible that you could automate it locally somewhat (or build a module to do it) by using the OpenShift Online API. Another suggestion would be to get a free ssl certificate from StartSSL that lasts for a year and install it either using the command line, or the web console.
I have an application (Review Board) that needs to be able to access a remote CVS (concurrent versions system) server. When I attempt to use the 'cvs' command-line utility from within an OpenShift console (or internally in the Review Board application), I encounter the following error:
CVSROOT=:pserver:anon:anon#cvs.opengroup.org:/cvs/MSB cvs co pegasus
cvs [checkout aborted]: connect to [cvs.opengroup.org]:2401 failed: Permission denied
This command works properly when run from my local Fedora system. I am guessing that there is likely an SELinux AVC occurring, but I have no way to verify this in OpenShift.
The outgoing port (2401) is blocked by an SELinux policy. The best way to request the team to open it, and track the request, is to enter a bug with your use case:
https://bugzilla.redhat.com/enter_bug.cgi?product=OpenShift%20Online