We've got a client application that connects to our online MySQL database (5.1.44-community-log) thru a ODBC connector (the server is a managed* dedicated webserver). This works very nice. However I can't get it to work using SSL. This is what I've done so far:
1. MySQL server
I've got the server manager* set up MySQL with SSL, this is 'proven by':
mysql> SHOW VARIABLES LIKE '%ssl%';
which results is this response:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /***/mysql-cert/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /***/mysql-cert/server-cert.pem |
| ssl_cipher | |
| ssl_key | /***/mysql-cert/server-key.pem |
+---------------+---------------------------------+
Question: is the server configured right? I'm guessing it is...
2. Certificates
I've purchased real certificates (via my server manager). These are in the directory shown above. I've also downloaded the client-cert.pem, client-key.pem and ca-cert.pem from that directory.
3. MySQL user with REQUIRE [SSL|X509]
I've created a new user and then granted it access from any location (for testing) with SSL:
GRANT USAGE ON *.* TO 'somevaliduser'#'%' IDENTIFIED BY PASSWORD 'somevalidpass' REQUIRE X509
4. ODBC Client
I've (just downloaded and) installed : mysql-connector-odbc-5.1.8-winx64.msi (64-bit) as my machine is a 64-bit Windows 7 machine (so that's not what's wrong).
And I've created a User DSN configuring it like this (no options set on tabs), which shows it connecting to the server (however not using - nor requesting to do so - SSL) successfully (using some valid user which doesn't requires SSL):
So the connection is able to establish, now try using SSL.
This is configured like this, which is like I've read about on MySQL.com. So I'm not 100% sure the options set are right.
As you can see it results in a error HY000. Turning on tracing (within the ODBC configuration) also shows this error.
Can anyone give me a hint on how to make this work? Even if you know about just a part of the solution?
I solved the problem. Because I tried several things at a time I don't know what did the trick:
I've had the server manager re-create the certificates: I bought some but I found out that those couldn't be used to SSL-encrypt the connection. So for now I'm using OpenSSL certificates. I've had them re-create the certificates with 4) Create your client .... server. They must be unique. (as mentioned here) in mind.
I guess the checkbox 'Verify SSL Certificate' only applies when you buy a certificate and a thrid party service should check the validity of the certificate. Uncheck that box!
Only fill out the fields:
'SSL Key' (c:\path_to\client-key.pem)
'SSL Certificate' (c:\path_to\client-cert.pem)
'SSL Certificate Authority' (c:\path_to\ca-cert.pem)
Please note:
The port is still the same (for me).
The logs - as Michal Niklas proposed - didn't show any usefull information.
I've toggled on 'Use compression' which is said to improve performance.
I am using Ubuntu 12.04 LTS with MySQL
Ver 5.5.22-0ubuntu1 for debian-linux-gnu on x86_64 ((Ubuntu)) and OpenSSL OpenSSL 1.0.1 14 Mar 2012
I created the certificates following the tutorial on
http://www.thomas-krenn.com/de/wiki/MySQL_Verbindungen_mit_SSL_verschl%C3%BCsseln
(The tutorial is in German, but this is not important here).
When trying to connect with
mysql -u root -p --ssl-ca=/etc/mysql/ca-cert.pem --ssl-cert=/etc/mysql/client-cert.pem --ssl-key=/etc/mysql/client-key.pem --protocol=tcp
I always got an error message SSL connection error: protocol version mismatch
This lead me to the site
http://bugs.mysql.com/bug.php?id=64870
which confirms (for me) that there is a bug.
To make a long story short. In the end I created all certificates using my MacOS X Lion, copied the certificates to the server and client and it worked immediately!
When I got the Linux side working, Windows worked immediatly, too!
As mentioned above, you just have to set client-key, client-cert and ca-cert!
Related
I've been browsing the web and this site from other users which have had this issue and reading the comments to resolve however I've not had much luck and i'm going bonkers trying to work out the issue.
I have two servers - Win Server 2019 and both use XAMPP with Apache and MYSQL, the first server (1) has been running for over a year perfectly fine, however I'm setting up another server (2) to use as a test environment but with a fresh install of windows, xampp along with the Apache/MYSQL modules.
I'm using Invision Community application but I'm getting this upon the first page of installation:
MySQL Requirements
Fatal error: Uncaught mysqli_sql_exception: Access denied for user ''#'localhost' (using password: NO) in C:\xampp\htdocs\ips4.php:317 Stack trace: #0 C:\xampp\htdocs\ips4.php(317): mysqli->__construct('localhost') #1 C:\xampp\htdocs\ips4.php(340): my_mysqli->__construct('localhost') #2 {main} thrown in C:\xampp\htdocs\ips4.php on line 317
IPS4.php is just a file to state whether the server meets all the requirements for the application.
I've then compared MYSQL on (1) to the install on (2) and I've matched the details, given privileges to "root" user on all of the available databases within PHPMYADMIN, granted full grants and then reloaded them, restarted MYSQL and Apache and still same issue.
Normally the Invision software continues through to then request the database details, user details etc. but it hasn't got to that point yet.
The only differences I can see between both servers is (1) is running PHP 7.3.7 | Apache 2.4.39 | MySQL 5.0.12 and server (2) is running PHP 8.2.0 | Apache 2.4.54 | MySQL 8.2.0
I was hoping I would just install XAMPP and then transfer the files to install the software and then configure it to choose which DB/User and then install and get started but apparently not.
ROOT doesn't have a password on (2) but does on (1), when I add a password to (2), I'm then unable to access PHPMYADMIN and doesn't ask for a password to log in. I've spent a few hours today trying to resolve this but now I think I'd like some advice. Many thanks
Setting root password, then flushing privileges, granting full permissions on all databases, copying the mysql files from server (1) to server (2). uninstalling XAMPP and reinstalling.
I don't recall ever needing to do anything for permissions when I setup this software on server (1). I've also installed this software on a few linux servers but didn't enjoy using linux so I stopped using it.
EDIT: It seems it's using MariaDB 10.4.27
Set a password for root on (2).
Change the phpMyAdmin config.inc.php file,change
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = '';
$cfg['Servers'][$i]['password'] = '';
then phpMyAdmin will throw a login dialog and ask for a user/password
That should sort out the phpMyAdmin issue.
Big Note: You really should not be using the root account for any app/website access. Instead you should create a user account in MySQL/mariaDB one for each app/website that has access only to the database(s) required for that app/website. (Basic Security)
There was a user called "Any" hostname "%" which looks to be what was causing the issue, I gave it access to all databases (most likely wrong thing to do but it's internally accessed only - no access outside of our network).
This got rid of the error
Thanks for your help
I cannot find answer on google on that anywhere (because of SEO and nature of english language I cannot ask correct question as I am not native)
I'll try to explain as simple as I can:
I connected to mysql as root
Did use mysql;
Did select user,host,password from mysql.user;
I got in response:
+---------+-----------+-------------------------------------------+
| User | Host | Password |
+---------+-----------+-------------------------------------------+
| root | localhost | *5298BA3BC4092F7B664B1A71FE173FBA4F8C6BA1 |
| mysql | localhost | invalid |
Is this normal? After my server was hacked, I rebuild it from scratch, reinstalled mariadb with the same settings as before but I don't remember if this is normal.
MariaDB version is:
mysql Ver 15.1 Distrib 10.4.11-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
I have very large database (over 4GB) and cannot do a single query on it because error 2013 (i.e. "Lost connection to MySQL server during query") so I am trying to narrow the cause of malfunction. Struggling with the problem for 5 days and I am out of options so just curious if this may have something to do with it.
It's not very clear in their documentation, but it appears to be the normal initial string for a user's password:
https://mariadb.com/kb/en/authentication-from-mariadb-104/
... an invalid password is initially set, so in order to authenticate this way, a password must be set with SET PASSWORD.
Later in the same page:
... the old authentication method — conventional MariaDB password — is still available. By default it is disabled (“invalid” is not a valid password hash), but one can set the password with a usual SET PASSWORD statement.
The string "invalid" is used instead of a legitimate hash string, because there's no way any password you type could be hashed and result in the string "invalid." That string isn't even the right length to be the result of a hash. Also, it contains characters that are not valid hexadecimal digits.
Practically any other word or phrase could be stored in place of the word "invalid," this is just what the developer chose to use.
Note this trick of storing a non-hash string in the field intended for a password hash doesn't work in MySQL 5.7. I've seen this trick used before in MySQL 5.6, but when we upgraded to MySQL 5.7, it wouldn't accept a string in that place unless it was a valid hash string.
The short answer:
Nothing is wrong with your user credentials, and unless you don't have a good reason for there is no need to change the password.
The long answer:
Since MariaDB 10.4.3 the default authentication method for connections using the unix socket (connecting to localhost without specifying a TCP port) is the unix_socket authentication. Unix socket authentication doesn't require a password anymore:
When the client opens a connection to the server, the server checks the uid of the process which opened the socket connection and retrieves the user name associated to the uid.
A major advantage of this authentication method is that no additional plug-in is required on the client side, so all database driver will support this authentication method out of the box.
I have a wildcard cert issued from rapidssl, using CN=*.mydomain.com. I have a web server and a mysql db server. The certs are working fine for web site access. Now I want to enable ssl for my app to mysql. I've enabled ssl in the mysql server without issue:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
However, when I try to connect using the client/ssl, I get:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
This appears to be documented here:
http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
It says I can't use the same CN for the certs. I don't understand how a wildcard cert can be used then. Does that mean I also have to purchase host specific certs just for the mysql connection?
I don't work with SSL very much so I'm finding it difficult figuring out how this is supposed to be set up. Any pointers, even obvious ones, will likely help at this stage.
Running:
mysql Ver 15.1 Distrib 5.5.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.1
ubuntu 12.04
Make sure to use an absolute path to the ca-cert given for the --ssl-ca option.
Relative paths, or shell expansions (like ~) won't work and will produce ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.
This isn't documented anywhere that I can see in the mysql man page, or in the SSL Command Options of the MySQL Manual (http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-options.html).
I have a similar issue, apparently from what i have read all the binary (precompiled) versions of MySQL Community Edition (maybe the same applies to MariaDB), comes bundled with yaSSL not openSSL existing some limitations and restrictions from that library. According to the manual of mysql (https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)
" yaSSL does not look in any directory and does not follow a chained certificate tree.yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option".
If you want to check if your MySQL instalation uses yaSSL or openSSL you can follow the steps in this forum (http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-uses-yassl-or-openssl/). It tells to see the status variable ‘
Rsa_public_key’ with ‘show status like ‘%rsa%’ if your MySQL installation comes with yaSSL the results must be empty because no such variable exists in distributions with yaSSL.
Other possible cause is that the hostname on your server doesn't match with the subject of the server certificate (argument of the --ssl-cert parameter) for that compare the output of the command
shell> hostname
with the DNS subject in the server certificate, you could get it using the next command (look the part where it says "X509v3 Subject Alternative Name:"):
shell> openssl x509 -in "your-server-certificate" -noout -text
If none of this work you could see the next page http://milcom.us/2012/11/02/encrypted-mysql-connections/
PS: English is not my native language, sorry for any grammatical error
I was having the following error:
[root#example ~]$ mysql
ERROR 2026 (HY000): SSL connection error
FIX that worked for me: Server and client "Common Name" in certificates must be different than CA's. After changing the CNs the error stopped; I verified the connection status:
mysql> status;
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
Source:
"Important Whatever method you use to generate the certificate and key
files, the Common Name value used for the server and client
certificates/keys must each differ from the Common Name value used for
the CA certificate. Otherwise, the certificate and key files will not
work for servers compiled using OpenSSL."
http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html
PS: I'm not using wildcard certificates and/or a third party CA, I'm creating my own signed certificates, which works OK for me: http://angelcool.net/sphpblog/comments.php?y=14&m=05&entry=entry140511-164525
MySQL doesn't work with wildcard certificates. There are a number of difficiencies with MySQL and SSL.
See my post on Getting MySQL server to run with SSL (and also the post that I refer to therein).
I connect from CentOS-7 version ojf 5.6.29-76.2-log Percona Server and Client
to CentOS-6 (Server version: 5.6.23-72.1-log Source distribution Percona), also get this issue.
Add the option will fix it:
--ssl-cipher=AES128-SHA
maybe anther ssl-cipher will also fixed.
I am trying to setup Sonar 3.6 and/or 3.6.2 with SQL Server 2008. For testing in preparation of conversion from MySql to SQL Server. I am getting no errors when running:
sonar.sh console
Console Output:
Running sonar...
wrapper | --> Wrapper Started as Console
wrapper | Launching a JVM...
jvm 1 | Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org
jvm 1 | Copyright 1999-2006 Tanuki Software, Inc. All Rights Reserved.
jvm 1 |
jvm 1 | 2013-07-31 11:41:12.374:INFO:oejs.Server:jetty-7.6.11.v20130520
jvm 1 | JRuby limited openssl loaded. http://jruby.org/openssl
jvm 1 | gem install jruby-openssl for full support.
jvm 1 | 2013-07-31 11:41:43.963:INFO:oejsh.ContextHandler:started o.e.j.w.WebAppContext{/,file:/alm/sonar-3.6.2/war/sonar-server/},file:/alm/sonar-3.6.2/war/sonar-server
jvm 1 | 2013-07-31 11:41:44.034:INFO:oejs.AbstractConnector:Started SelectChannelConnector#0.0.0.0:29000
I am running my database on a remote server. This should not be a problem though.
I am able to access the server with the same credentials with DBVisualizer, so I would imagine it should go through with sonar.
The driver I am using is the one bundled with sonar.
The error that I am getting is web based when I try and access the server.
We're sorry, but something went wrong.
Please try back in a few minutes and contact support if the problem persists.
<%= link_to "Go back to the homepage", home_path %>
When I use the h2 embedded database I have no problem accessing it, so I deduce that this is most likely a problem with my database setup.
---------------------------------------------------------
# WEB SETTINGS - STANDALONE MODE ONLY
# These settings are ignored when the war file is deployed to a Java EE server.
#---------------------------------------------------------
# Listen host/port and context path (for example / or /sonar). Default values are 0.0.0.0:9000/.
sonar.web.host: localhost
sonar.web.port: 9500
sonar.web.context: /sonar
# Log HTTP requests. Deactivated by default.
#sonar.web.jettyRequestLogs: ../../logs/jetty-yyyy_mm_dd.request.log
#sonar.web.jetty.threads.min: 5
#sonar.web.jetty.threads.max: 50
#-----------------------------------------------------------------------
# DATABASE
#
# IMPORTANT : the embedded database H2 is used by default.
# It is recommended for tests only. Please use an external database
# for production environment (MySQL, Oracle, Postgresql, SQLServer)
#
#-----------------------------------------------------------------------
#----- Credentials
# Permissions to create tables and indexes must be granted to JDBC user.
# The schema must be created first.
sonar.jdbc.username: sonar
sonar.jdbc.password: sonar
#----- Embedded database H2
# Note : it does not accept connections from remote hosts, so the
# sonar server and the maven plugin must be executed on the same host.
# Comment the following line to deactivate the default embedded database.
#sonar.jdbc.url: jdbc:h2:tcp://localhost:19092/sonar
#sonar.jdbc.driverClassName: org.h2.Driver
# directory containing H2 database files. By default it's the /data directory in the sonar installation.
#sonar.embeddedDatabase.dataDir:/alm/sonar/apache-tomcat-7.0.41/data
# H2 embedded database server listening port, defaults to 9092
#sonar.embeddedDatabase.port: 19092
...
...
#----- Microsoft SQLServer
# The Jtds open source driver is available in extensions/jdbc-driver/mssql. More details on http://jtds.sourceforge.net
sonar.jdbc.url
jdbc:jtds:sqlserver://(REMOTE IP ADDRESS);instance=MSSQLSERVER;databaseName=SONAR;selectMethod=cursor;
# Optional properties
sonar.jdbc.driverClassName: net.sourceforge.jtds.jdbc.Driver
The sonar username that I have has all permissions for the SONAR database.
I am probably missing something small any help is appreciated.
Solved it:
The problem is I needed to create a sonar schema, and associate the sonar user to it for the sonar database.
I also ensured that the sonar user had the permissions that it needed in order to create the database. Started up perfectly.
I think that I have read just about everything on the Internet that there is about this subject but non of them fully help with my situation.
Firstly I have grasped the concept that this error message is related to mySql passwords, but here is my scenario.
I have my local PC set up as a web server for development purposes and I have phpMyAdmin installed. I also have a similar setup on my laptop, and the third part is that I have a hosted web account.
On my desktop I could connect to the mySql database on the desktop and to my hosted account no problem. I then decided that it would be a good idea (in retrospect read bad idea) to update the desktop to the latest versions and since doing so I have been getting the dreaded "mysqlnd cannot connect to MySQL 4.1+" message when I try to access my host via phpMyAdmin. There is no problem with accessing the host via my laptop or via my host's Control Panel.
Therefore I am thinking that the problem is something to do with my desktop sever installation, but for the life of me I cannot figure out what it could be.
The configurations are:
----------------- Desktop ---------------Laptop -----------Host
Apache ---------- 2.2.17 --------------- 2.1.11 ---------- 2.2.11
PHP ---------------5.3.5 ----------------- 5.2.9-2 --------- 5.2.9-2
mySql server --- 5.5.12 ---------------- 5.1.34 ---------- 5.0.41
mySql client ---- mysqld 5.0.7-dev --- 5.0.24a -------- 5.0.24
OS -------------- Win 7 (64 bit) --------- Win 7 (32 bit) --- nix
Any help or suggestion would be appreciated
Don't use the mysqlnd driver for phpMyAdmin. Try instead mysql or mysqli. You should see a line something like
$cfg['Servers'][$i]['extension'] = 'mysqlnd';
in /etc/phpmyadmin/config.inc.php. Try changing mysqlnd to mysqli or mysql.