How do I debug a MariaDB SSL connection? Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara Come Celebrate our 10 Year Anniversary!How to connect to Amazon RDS MySQL instance while preventing MITM attackCan OpenSSL be used to debug an SSL connection to a MySQL server?How to use client certificates with mysqlHow to debug certificate chains with OpenSSL?client SSL certificate verify error: (27:certificate not trusted)MySQL SSL ConnectionMariadb and “SSL connection error: unknown error number”MariaDB Galera Cluster ECDSA certificate and cipherMariaDB MySQL shows have_ssl disabled when certs are installledMariadb TLS does not enable
What if Force was not Mass times Acceleration?
A Paper Record is What I Hamper
How to open locks without disable device?
Suing a Police Officer Instead of the Police Department
What to do with someone that cheated their way through university and a PhD program?
Split coins into combinations of different denominations
Second order approximation of the loss function (Deep learning book, 7.33)
Would reducing the reference voltage of an ADC have any effect on accuracy?
Protagonist's race is hidden - should I reveal it?
What is "leading note" and what does it mean to "raise a note"?
Does Mathematica have an implementation of the Poisson Binomial Distribution?
How to count in linear time worst-case?
Is Bran literally the world's memory?
What is the ongoing value of the Kanban board to the developers as opposed to management
Has a Nobel Peace laureate ever been accused of war crimes?
Mistake in years of experience in resume?
What is the term for a person whose job is to place products on shelves in stores?
My admission is revoked after accepting the admission offer
Flash for group photos near wall
Where did Arya get these scars?
Raising a bilingual kid. When should we introduce the majority language?
What do you call the part of a novel that is not dialog?
Map material from china not allowed to leave the country
Identify story/novel: Tribe on colonized planet, not aware of this. "Taboo," altitude sickness, robot guardian (60s? Young Adult?)
How do I debug a MariaDB SSL connection?
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!How to connect to Amazon RDS MySQL instance while preventing MITM attackCan OpenSSL be used to debug an SSL connection to a MySQL server?How to use client certificates with mysqlHow to debug certificate chains with OpenSSL?client SSL certificate verify error: (27:certificate not trusted)MySQL SSL ConnectionMariadb and “SSL connection error: unknown error number”MariaDB Galera Cluster ECDSA certificate and cipherMariaDB MySQL shows have_ssl disabled when certs are installledMariadb TLS does not enable
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.
I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.
What works:
I can connect from the client to the server with the mysql client without SSL connections.
I can verify the client certificate with openssl:
$ openssl verify MariaDB_client.crt
MariaDB_client.crt: OK
I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.
On the server, I have:
MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+
What does not work:
If I add a .my.cnf file with the following content to the users $HOME directory...
[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key
...the connection fails with:
ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum
In the server log, I find (not sure whether this is related):
[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known
My questions:
How can I narrow down/debug this connection problem?
I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.
Are there particular access rights required for the certificates?
ssl ssl-certificate certificate-authority mariadb
add a comment |
Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.
I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.
What works:
I can connect from the client to the server with the mysql client without SSL connections.
I can verify the client certificate with openssl:
$ openssl verify MariaDB_client.crt
MariaDB_client.crt: OK
I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.
On the server, I have:
MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+
What does not work:
If I add a .my.cnf file with the following content to the users $HOME directory...
[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key
...the connection fails with:
ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum
In the server log, I find (not sure whether this is related):
[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known
My questions:
How can I narrow down/debug this connection problem?
I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.
Are there particular access rights required for the certificates?
ssl ssl-certificate certificate-authority mariadb
Alternatively, try dba.stackexchange.com
– Rick James
Mar 17 at 17:06
On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you
– yagmoth555♦
Mar 18 at 13:34
Ok, I understand. How do I "flag for a move"?
– user52366
Mar 18 at 16:28
Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO
– yagmoth555♦
Mar 18 at 16:52
add a comment |
Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.
I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.
What works:
I can connect from the client to the server with the mysql client without SSL connections.
I can verify the client certificate with openssl:
$ openssl verify MariaDB_client.crt
MariaDB_client.crt: OK
I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.
On the server, I have:
MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+
What does not work:
If I add a .my.cnf file with the following content to the users $HOME directory...
[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key
...the connection fails with:
ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum
In the server log, I find (not sure whether this is related):
[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known
My questions:
How can I narrow down/debug this connection problem?
I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.
Are there particular access rights required for the certificates?
ssl ssl-certificate certificate-authority mariadb
Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.
I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.
What works:
I can connect from the client to the server with the mysql client without SSL connections.
I can verify the client certificate with openssl:
$ openssl verify MariaDB_client.crt
MariaDB_client.crt: OK
I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.
On the server, I have:
MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+
What does not work:
If I add a .my.cnf file with the following content to the users $HOME directory...
[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key
...the connection fails with:
ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum
In the server log, I find (not sure whether this is related):
[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known
My questions:
How can I narrow down/debug this connection problem?
I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.
Are there particular access rights required for the certificates?
ssl ssl-certificate certificate-authority mariadb
ssl ssl-certificate certificate-authority mariadb
edited Mar 18 at 16:53
fhenriques
72
72
asked Mar 17 at 16:03
user52366user52366
1265
1265
Alternatively, try dba.stackexchange.com
– Rick James
Mar 17 at 17:06
On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you
– yagmoth555♦
Mar 18 at 13:34
Ok, I understand. How do I "flag for a move"?
– user52366
Mar 18 at 16:28
Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO
– yagmoth555♦
Mar 18 at 16:52
add a comment |
Alternatively, try dba.stackexchange.com
– Rick James
Mar 17 at 17:06
On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you
– yagmoth555♦
Mar 18 at 13:34
Ok, I understand. How do I "flag for a move"?
– user52366
Mar 18 at 16:28
Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO
– yagmoth555♦
Mar 18 at 16:52
Alternatively, try dba.stackexchange.com
– Rick James
Mar 17 at 17:06
Alternatively, try dba.stackexchange.com
– Rick James
Mar 17 at 17:06
On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you
– yagmoth555♦
Mar 18 at 13:34
On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you
– yagmoth555♦
Mar 18 at 13:34
Ok, I understand. How do I "flag for a move"?
– user52366
Mar 18 at 16:28
Ok, I understand. How do I "flag for a move"?
– user52366
Mar 18 at 16:28
Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO
– yagmoth555♦
Mar 18 at 16:52
Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO
– yagmoth555♦
Mar 18 at 16:52
add a comment |
1 Answer
1
active
oldest
votes
After many hours of trying, things now finally work.
The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.
I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958674%2fhow-do-i-debug-a-mariadb-ssl-connection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
After many hours of trying, things now finally work.
The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.
I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
add a comment |
After many hours of trying, things now finally work.
The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.
I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
add a comment |
After many hours of trying, things now finally work.
The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.
I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.
After many hours of trying, things now finally work.
The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.
I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.
answered Mar 18 at 16:47
user52366user52366
1265
1265
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
add a comment |
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.
– Ryder
Mar 19 at 10:30
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958674%2fhow-do-i-debug-a-mariadb-ssl-connection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Alternatively, try dba.stackexchange.com
– Rick James
Mar 17 at 17:06
On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you
– yagmoth555♦
Mar 18 at 13:34
Ok, I understand. How do I "flag for a move"?
– user52366
Mar 18 at 16:28
Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO
– yagmoth555♦
Mar 18 at 16:52