I'm trying to set up a mysql server 5.5.38-0ubuntu0.14.04.1 with SSL support on an Ubuntu 14.04 Linux (64bit) with kernel 3.13.0-32-generic.
I allowed remote access to mysql and changed the /etc/mysql/my.cnf in order to support ssl...
ssl=1
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
I generated the certificates...
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 3560 -nodes -keyout server-key.pem > server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
I have different names for the Common Name value used for the server and client certificates/keys. Same names seem to be a problem in some cases.
I correctly set the permisions of all *.pem files (mysql:adm) which are in /etc/mysql/. After restaring mysql, I can login as root and see that ssl is now supported:
mysql> show variables like '%ssl%';
+---------------+-----------------------------------+
| Variable_name | Value |
+---------------+-----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/server-key.pem |
+---------------+-----------------------------------+
7 rows in set (0.00 sec)
So.. I generated a test-user to test a ssl connection:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'ssluser'#'localhost' IDENTIFIED BY 'password' REQUIRE X509;
mysql> flush privileges;
However, when I try to connect...
# mysql -u ssluser -p --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
However, my certificates seem to be valid:
# openssl verify -CAfile ca-cert.pem server-cert.pem client cert.pem
server-cert.pem: OK
client-cert.pem: OK
I tried to solve this problem since several hours, now I do not have any new ideas..
Help is greatly appreciated!
Solved: Works once the keys are generated with SHA1
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem
# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem
Related
I am trying to connect to mariaDB server using self signed ssl certificates. What I did so far:
CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
Server:
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem
openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
Client:
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem
openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
(everything generated in /etc/mysql/ssl and chown mysql: server-key.pem)
After that, i changed my config files (/etc/mysql/mariadb.conf.d/50-server.cnf and 50-client.cnf):
50-client.cnf added lines:
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
50-server.cnf added lines:
bind-address = 0.0.0.0
ssl-ca = /etc/mysql/ssl/ca-cert.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
ssl = true
Everything seemed to work fine, but as soon as I change the 50-client.cnf and try to connect to the mariaDB server I get the following error message:
ERROR 2026 (HY000): SSL connection error: The certificate is NOT trusted. The name in the certificate does not match the expected.
Anyone got an idea what I could do to make it work?
I'm having difficulties connecting Google Apps Script to my MariaDB instance.
This is the GAS I am using for this example:
https://gist.github.com/HappymanOkajima/8740727662e9ba0e0ffd52006484c47f
The MariaDB instance is from the original dockerhub image: mariadb:10.4
I have successfully configured MariaDB to run with SSL (verified with Metabase, and shows 'havessl'='YES')
For context, the following commands were used to generate ssl keys:
Generate key for CA-cert
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 > ./ca-key.pem
Generate CA-cert
openssl req -new -x509 -nodes -days 36500 -key ./ca-key.pem -out ./ca-cert.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=company"
Create SQL server key
openssl req -newkey rsa:4096 -nodes -keyout ./server-key.pem -out ./server-req.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=sql.server.com"
Create SQL server cert
openssl x509 -req -in ./kn-req.pem -days 36500 -CA ./ca-cert.pem -CAkey ./ca-key.pem -CAcreateserial -out ./server-cert.pem
Convert server key to RSA (mariadb only reads this)
openssl rsa -in ./server-key.pem -out ./server-key-rsa.pem
SQL server is configured with ca-cert.pem, server-cert.pem and server-key-rsa.pem
Create Client Key (for Supermetrics)
openssl req -newkey rsa:4096 -nodes -keyout ./client-key.pem -out ./client-req.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=supermetrics"
Create client cert
openssl x509 -req -in ./client-req.pem -days 36500 -CA ./ca-cert.pem -CAkey ./ca-key.pem -CAcreateserial -out ./client-cert.pem
Create RSA version, for Supermetrics
openssl rsa -in ./client-key.pem -out ./client-key-rsa.pem
I then used cat to print these files: ca-cert.pem, client-cert.pem, client-key.pem
And copy-pasted the strings into the Google Apps Script, appending \n\ to the end of each line.
This is the error that shows:
Exception: Failed to establish a database connection. Check connection string, username and password.
I have also verified that if I removed ?useSSL=true, the connection is completed successfully
What am I missing here? I have scoured every google dev forum posting and stackoverflow questions on this, and they all seem to say that this is the correct solution. Is anyone able to replicate this to verify?
I am trying to enable TLS on mysql on windows trying out follwing steps:
c:/mysqlCert> openssl genrsa 2048 > ca-key.pem
c:/mysqlCert> openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
c:/mysqlCert> openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
c:/mysqlCert> openssl rsa -in server-key.pem -out server-key.pem
c:/mysqlCert> openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
c:/mysqlCert> openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
c:/mysqlCert> openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
c:/mysqlCert> openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
Now inside mysqlCert i get following files:
Inside the my.ini file under section [mysqld] added following:
ssl-ca = "C:\mysqlCert\ca.pem"
ssl-cert = "C:\mysqlCert\server-cert.pem"
ssl-key = "C:\mysqlCert\server-key.pem"
After above I enter command:
SHOW GLOBAL VARIABLES LIKE 'have_%ssl';
And I don't see OpenSSL as enabled its still DISABLED and SSLL variables pointing to SSL files as follows:
So, please help me out what am i doing wrong.
In the mysqld bloc change the "\" by "/" : like this, because you are in windows env
ssl-ca = "C:/mysqlCerts/ca-cert.pem"
ssl-cert = "C:/mysqlCerts/server-cert.pem"
ssl-key = "C:/mysqlCerts/server-key-ppless.pem"
Hey I want to connect to mySql db using ssl secure connection. I did the following:
Create self signed certificates (resource: https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html):
#server
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 3600 nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
#client
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
#signing
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
Created the my.cnf file in C:\Program Files\MySQL\MySQL Server X.Y (since it didn't exists) and added this lines (resource: https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl.html)
ssl-ca=c:/certs/ca.pem
ssl-cert=c:/certs/server-cert.pem
ssl-key=c:/certs/server-key.pem
Then connected to mysql using root and created the sslclient user :
CREATE USER 'sslclient'#'localhost';
Now when I'm trying to connect to mySql db using ssl :
mysql -h localhost -u sslclient -p --ssl=1 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.cert
I get the following exception:
SSL connection error: SSL is required but the server doesn't support it
I tried it also as the root user and also tried to change the ssl settings through MySQl Workbench > right click on my connection > edit connection > connection> ssl and filled the relevant fields.
EDIT : I found out that the .cnf can be the .ini file (located at C:\ProgramData\MySQL\MySQL Server X.Y), so I added the ssl-x lines to it, but now I'm getting this error :
SSL connection error: ASN: bad other signature confirmation
My task is to make all local and remote connections to MySQL encrypted and all clients must be verified by client SSL certificates.
But I can't even connect to MySQL from shell and always getting 'Access denied for user ssluser#localhost...)'
Platform:
Amazon EC2 micro with Amazon Linux AMI (all updates installed)
MySQL 5.7.7
I have created the self-signed certificate in accordance with this instruction
# Create CA certificate
# -----------
# CN = localdomain.com
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
# -----------
# CN = cn1.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
# -----------
# CN = cn2.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
I have created the MySQL DB user for testing
CREATE USER 'ssl-user'#'%' identified by '123';
GRANT USAGE ON *.* TO 'ssluser'#'%' identified by '123' REQUIRE X509;
FLUSH PRIVILEGES;
Edited my.cnf
[mysqld]
ssl-ca=/etc/pki/mysql_ssl/ca.pem
ssl-cert=/etc/pki/mysql_ssl/server-cert.pem
ssl-key=/etc/pki/mysql_ssl/server-key.pem
[client]
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/client-key.pem
and restarted mysqld...
Than I am trying to connect from shell
mysql -ussluser -p123123123 --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem
And always get 'Access denied for ssluser#localhost (using password: YES).
I also tried to use our purchased WildCard Comodo Certificates to only encrypt the connection (but not verify the client) with no success.
I am a bit confused because I know a lot of people actually do MySQL SSL, but I am still can't get it working.
Any help would be much appreciated.
Problem is solved.
I switched back to MySQL 5.6
Re-created CA, server and client certificates with this detailed instruction
Added to my.cnf the client SSL section
[client]
ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/сlient-key.pem
Created new mysql user
CREATE USER 'x509test'#'%' IDENTIFIED BY 'MyPassword1';
GRANT USAGE ON *.* TO 'x509test'#'%' REQUIRE X509;
FLUSH PRIVILEGES;
And finally I am able to connect
$ mysql --user=x509test --password --ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem