If someone can tell me what I'm doing wrong it'd be great.
If not, I'll settle for any other solution to goal.
I need to remotely insert mysql rows. And I want it to be secure. I'm writing it all in jruby. Thanks, here's what I did so far,
I get a:
ERROR 2026 (HY000): SSL connection error
When remotely try to access it with ssl:
mysql -h host -u ssl_test -p --ssl-ca=ca-cert.pem
I can connect remotely just fine to a user without require ssl. (mysql -h host -u user -p)
I can also connect to this user locally with:
mysql -h host -u ssl_test -p --ssl-ca=ca-cert.pem
The ca-cert.pem are the same and the permissions for ssl_test is:
+--------------+----------------+----------+
| Host | User | ssl_type |
+--------------+----------------+----------+
| % | ssl_test | ANY |
I generated the ca-cert and server-cert with:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
straight out of http://dev.mysql.com/doc/mysql-security-excerpt/5.0/en/secure-create-certs.html
I also tried creating the client stuff for x509 but it returns the same error.
Did you use the same commonname for the server certificate and client certificate? http://orensol.com/2010/06/21/error-2026-hy000-ssl-connection-error-the-solution/
One thing to check is if your client
certificate and server certificate
have the same common name. You’ve
probably went through the certificate
generation procedure, and (like I did)
just entered the same common name for
both without noticing.
This is a nasty error message that
doesn’t tell you anything, and there’s
nothing in the error log to imply what
went wrong. So remember – when
generating your own certificates for a
mysql server, use different common
names for client and server!
I've finally figured it out actually. Apparently my client - 5.1.x is not compatible with a 5.0.77 mysqld (yum install).
The only error message you get however, is ssl connection error.
I also only found this out by connecting remotely to a ubuntu mysql server.
I'm currently building a newer version of mysqld on my centos server.
Related
I'm having difficulties connecting Google Apps Script to my MariaDB instance.
This is the GAS I am using for this example:
https://gist.github.com/HappymanOkajima/8740727662e9ba0e0ffd52006484c47f
The MariaDB instance is from the original dockerhub image: mariadb:10.4
I have successfully configured MariaDB to run with SSL (verified with Metabase, and shows 'havessl'='YES')
For context, the following commands were used to generate ssl keys:
Generate key for CA-cert
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 > ./ca-key.pem
Generate CA-cert
openssl req -new -x509 -nodes -days 36500 -key ./ca-key.pem -out ./ca-cert.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=company"
Create SQL server key
openssl req -newkey rsa:4096 -nodes -keyout ./server-key.pem -out ./server-req.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=sql.server.com"
Create SQL server cert
openssl x509 -req -in ./kn-req.pem -days 36500 -CA ./ca-cert.pem -CAkey ./ca-key.pem -CAcreateserial -out ./server-cert.pem
Convert server key to RSA (mariadb only reads this)
openssl rsa -in ./server-key.pem -out ./server-key-rsa.pem
SQL server is configured with ca-cert.pem, server-cert.pem and server-key-rsa.pem
Create Client Key (for Supermetrics)
openssl req -newkey rsa:4096 -nodes -keyout ./client-key.pem -out ./client-req.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=supermetrics"
Create client cert
openssl x509 -req -in ./client-req.pem -days 36500 -CA ./ca-cert.pem -CAkey ./ca-key.pem -CAcreateserial -out ./client-cert.pem
Create RSA version, for Supermetrics
openssl rsa -in ./client-key.pem -out ./client-key-rsa.pem
I then used cat to print these files: ca-cert.pem, client-cert.pem, client-key.pem
And copy-pasted the strings into the Google Apps Script, appending \n\ to the end of each line.
This is the error that shows:
Exception: Failed to establish a database connection. Check connection string, username and password.
I have also verified that if I removed ?useSSL=true, the connection is completed successfully
What am I missing here? I have scoured every google dev forum posting and stackoverflow questions on this, and they all seem to say that this is the correct solution. Is anyone able to replicate this to verify?
I am attempting to use client certificates to limit secure access to an apache2 web server. However after installation google chrome returns a ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED error.
First I set up the CA for the Web Server by creating a CA key and an X509 PEM file:
openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem
I already have an existing certificate for the web site set in apache2 for https communication allocated by a trusted third party. The following is the apache2 conf setting for this website where I have included SSLCACertificateFile for the certificate generated above, the SSLOptions, SSLVerifyClient and SSLVerfiyDepth directives:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName site.aname.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/site
<Directory /var/www/html/site>
Options FollowSymLinks
AllowOverride All
Require all granted
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCACertificateFile /etc/apache2/ssl/site/CA.pem
SSLCertificateFile /etc/apache2/ssl/site/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/site/privkey.pem
Include /etc/apache2/ssl/site/options-ssl-apache.conf
</VirtualHost>
</IfModule>
This completes the web server configuration and test without a client certificate and get the expected error.
I then generate a client certificate and sign with the CA and then package in pkcs12 with private key with the following:
GENERATE:
openssl genrsa -out user.key 2028
openssl req -new -key user.key -out user.csr
SIGN WITH:
openssl x509 -sha256 -req -in user.csr -out user.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095
CREATE PKCS12:
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
The resultant user.pfx is then installed on the user machines running chrome.
When attempting to connect, chrome asks for the key which is selected with the result being the error ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.
Version of Chrome running under Windows 10 is: Version 74.0.3729.169 (Official Build) (64-bit)
Update:
I can connect successfully with curl from another linux server using:
curl --cert user.crt --key user.key --pass password https://site.aname.com/
however, the same from windows 10 command line results in:
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80090027) - The parameter is incorrect
Solved by ensuring that the signed user certificate was a "version 3" X.509 certificate and specifying both Key Usage and Enhanced Key Usage attributes within the v3 extension. This was achieved my modifying the openssl.conf file for the X509 sign request or if you use the openssl CA command.
I got a certification error when I start my local environment in Google Chrome. The certificate is not valid. How can I fix this?
Don't forget to restart the httpd after replacing the server.key and server.crt.
As a temporary solution I created a new server certificate with:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
The files server.key and server.crt must be copied to server/local/httpd/conf
I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.
Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.
My task is to make all local and remote connections to MySQL encrypted and all clients must be verified by client SSL certificates.
But I can't even connect to MySQL from shell and always getting 'Access denied for user ssluser#localhost...)'
Platform:
Amazon EC2 micro with Amazon Linux AMI (all updates installed)
MySQL 5.7.7
I have created the self-signed certificate in accordance with this instruction
# Create CA certificate
# -----------
# CN = localdomain.com
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
# -----------
# CN = cn1.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
# -----------
# CN = cn2.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
I have created the MySQL DB user for testing
CREATE USER 'ssl-user'#'%' identified by '123';
GRANT USAGE ON *.* TO 'ssluser'#'%' identified by '123' REQUIRE X509;
FLUSH PRIVILEGES;
Edited my.cnf
[mysqld]
ssl-ca=/etc/pki/mysql_ssl/ca.pem
ssl-cert=/etc/pki/mysql_ssl/server-cert.pem
ssl-key=/etc/pki/mysql_ssl/server-key.pem
[client]
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/client-key.pem
and restarted mysqld...
Than I am trying to connect from shell
mysql -ussluser -p123123123 --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem
And always get 'Access denied for ssluser#localhost (using password: YES).
I also tried to use our purchased WildCard Comodo Certificates to only encrypt the connection (but not verify the client) with no success.
I am a bit confused because I know a lot of people actually do MySQL SSL, but I am still can't get it working.
Any help would be much appreciated.
Problem is solved.
I switched back to MySQL 5.6
Re-created CA, server and client certificates with this detailed instruction
Added to my.cnf the client SSL section
[client]
ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/сlient-key.pem
Created new mysql user
CREATE USER 'x509test'#'%' IDENTIFIED BY 'MyPassword1';
GRANT USAGE ON *.* TO 'x509test'#'%' REQUIRE X509;
FLUSH PRIVILEGES;
And finally I am able to connect
$ mysql --user=x509test --password --ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem