How do I debug a MariaDB SSL connection? Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara Come Celebrate our 10 Year Anniversary!How to connect to Amazon RDS MySQL instance while preventing MITM attackCan OpenSSL be used to debug an SSL connection to a MySQL server?How to use client certificates with mysqlHow to debug certificate chains with OpenSSL?client SSL certificate verify error: (27:certificate not trusted)MySQL SSL ConnectionMariadb and “SSL connection error: unknown error number”MariaDB Galera Cluster ECDSA certificate and cipherMariaDB MySQL shows have_ssl disabled when certs are installledMariadb TLS does not enable

What if Force was not Mass times Acceleration?

A Paper Record is What I Hamper

How to open locks without disable device?

Suing a Police Officer Instead of the Police Department

What to do with someone that cheated their way through university and a PhD program?

Split coins into combinations of different denominations

Second order approximation of the loss function (Deep learning book, 7.33)

Would reducing the reference voltage of an ADC have any effect on accuracy?

Protagonist's race is hidden - should I reveal it?

What is "leading note" and what does it mean to "raise a note"?

Does Mathematica have an implementation of the Poisson Binomial Distribution?

How to count in linear time worst-case?

Is Bran literally the world's memory?

What is the ongoing value of the Kanban board to the developers as opposed to management

Has a Nobel Peace laureate ever been accused of war crimes?

Mistake in years of experience in resume?

What is the term for a person whose job is to place products on shelves in stores?

My admission is revoked after accepting the admission offer

Flash for group photos near wall

Where did Arya get these scars?

Raising a bilingual kid. When should we introduce the majority language?

What do you call the part of a novel that is not dialog?

Map material from china not allowed to leave the country

Identify story/novel: Tribe on colonized planet, not aware of this. "Taboo," altitude sickness, robot guardian (60s? Young Adult?)



How do I debug a MariaDB SSL connection?



Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!How to connect to Amazon RDS MySQL instance while preventing MITM attackCan OpenSSL be used to debug an SSL connection to a MySQL server?How to use client certificates with mysqlHow to debug certificate chains with OpenSSL?client SSL certificate verify error: (27:certificate not trusted)MySQL SSL ConnectionMariadb and “SSL connection error: unknown error number”MariaDB Galera Cluster ECDSA certificate and cipherMariaDB MySQL shows have_ssl disabled when certs are installledMariadb TLS does not enable



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.



I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.



What works:



I can connect from the client to the server with the mysql client without SSL connections.



I can verify the client certificate with openssl:



$ openssl verify MariaDB_client.crt 

MariaDB_client.crt: OK


I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.



On the server, I have:



MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+


What does not work:



If I add a .my.cnf file with the following content to the users $HOME directory...



[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key


...the connection fails with:



ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum


In the server log, I find (not sure whether this is related):



[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known


My questions:



  • How can I narrow down/debug this connection problem?


  • I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.


  • Are there particular access rights required for the certificates?










share|improve this question
























  • Alternatively, try dba.stackexchange.com

    – Rick James
    Mar 17 at 17:06











  • On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you

    – yagmoth555
    Mar 18 at 13:34











  • Ok, I understand. How do I "flag for a move"?

    – user52366
    Mar 18 at 16:28











  • Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO

    – yagmoth555
    Mar 18 at 16:52


















1















Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.



I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.



What works:



I can connect from the client to the server with the mysql client without SSL connections.



I can verify the client certificate with openssl:



$ openssl verify MariaDB_client.crt 

MariaDB_client.crt: OK


I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.



On the server, I have:



MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+


What does not work:



If I add a .my.cnf file with the following content to the users $HOME directory...



[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key


...the connection fails with:



ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum


In the server log, I find (not sure whether this is related):



[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known


My questions:



  • How can I narrow down/debug this connection problem?


  • I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.


  • Are there particular access rights required for the certificates?










share|improve this question
























  • Alternatively, try dba.stackexchange.com

    – Rick James
    Mar 17 at 17:06











  • On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you

    – yagmoth555
    Mar 18 at 13:34











  • Ok, I understand. How do I "flag for a move"?

    – user52366
    Mar 18 at 16:28











  • Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO

    – yagmoth555
    Mar 18 at 16:52














1












1








1








Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.



I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.



What works:



I can connect from the client to the server with the mysql client without SSL connections.



I can verify the client certificate with openssl:



$ openssl verify MariaDB_client.crt 

MariaDB_client.crt: OK


I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.



On the server, I have:



MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+


What does not work:



If I add a .my.cnf file with the following content to the users $HOME directory...



[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key


...the connection fails with:



ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum


In the server log, I find (not sure whether this is related):



[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known


My questions:



  • How can I narrow down/debug this connection problem?


  • I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.


  • Are there particular access rights required for the certificates?










share|improve this question
















Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.



I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.



What works:



I can connect from the client to the server with the mysql client without SSL connections.



I can verify the client certificate with openssl:



$ openssl verify MariaDB_client.crt 

MariaDB_client.crt: OK


I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.



On the server, I have:



MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/conf.d/MariaDB_ca.crt |
| ssl_capath | |
| ssl_cert | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+--------------------------------------+


What does not work:



If I add a .my.cnf file with the following content to the users $HOME directory...



[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key


...the connection fails with:



ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum


In the server log, I find (not sure whether this is related):



[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known


My questions:



  • How can I narrow down/debug this connection problem?


  • I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.


  • Are there particular access rights required for the certificates?







ssl ssl-certificate certificate-authority mariadb






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 18 at 16:53









fhenriques

72




72










asked Mar 17 at 16:03









user52366user52366

1265




1265












  • Alternatively, try dba.stackexchange.com

    – Rick James
    Mar 17 at 17:06











  • On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you

    – yagmoth555
    Mar 18 at 13:34











  • Ok, I understand. How do I "flag for a move"?

    – user52366
    Mar 18 at 16:28











  • Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO

    – yagmoth555
    Mar 18 at 16:52


















  • Alternatively, try dba.stackexchange.com

    – Rick James
    Mar 17 at 17:06











  • On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you

    – yagmoth555
    Mar 18 at 13:34











  • Ok, I understand. How do I "flag for a move"?

    – user52366
    Mar 18 at 16:28











  • Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO

    – yagmoth555
    Mar 18 at 16:52

















Alternatively, try dba.stackexchange.com

– Rick James
Mar 17 at 17:06





Alternatively, try dba.stackexchange.com

– Rick James
Mar 17 at 17:06













On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you

– yagmoth555
Mar 18 at 13:34





On DBA it could be a good idea too like @RickJames told, but please don't double post, just flag for a move if you want a move. Thanks you

– yagmoth555
Mar 18 at 13:34













Ok, I understand. How do I "flag for a move"?

– user52366
Mar 18 at 16:28





Ok, I understand. How do I "flag for a move"?

– user52366
Mar 18 at 16:28













Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO

– yagmoth555
Mar 18 at 16:52






Click under the question flag, and enter that you want a move, but as it's answered now, I no longer think it's a good move IMO

– yagmoth555
Mar 18 at 16:52











1 Answer
1






active

oldest

votes


















2














After many hours of trying, things now finally work.



The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.



I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.






share|improve this answer























  • Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

    – Ryder
    Mar 19 at 10:30











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958674%2fhow-do-i-debug-a-mariadb-ssl-connection%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














After many hours of trying, things now finally work.



The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.



I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.






share|improve this answer























  • Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

    – Ryder
    Mar 19 at 10:30















2














After many hours of trying, things now finally work.



The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.



I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.






share|improve this answer























  • Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

    – Ryder
    Mar 19 at 10:30













2












2








2







After many hours of trying, things now finally work.



The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.



I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.






share|improve this answer













After many hours of trying, things now finally work.



The crucial step was to use the server's IP as common name (CN) in the server certificate (actually the csr that signed then gives the certificate), not an arbitrary host name as some instructions suggest. A lot of sources I found were contradicting in this respect.



I am using MariaDB as distributed with Debian 9, linked to the yaSSL library. Maybe things are different with openssl. They certainly are different from MySQL.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 18 at 16:47









user52366user52366

1265




1265












  • Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

    – Ryder
    Mar 19 at 10:30

















  • Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

    – Ryder
    Mar 19 at 10:30
















Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

– Ryder
Mar 19 at 10:30





Using an IP as the CN is bad form, violates the RFC's, and can be difficult to maneuver. A better solution would be to either set the CN to be a valid fqdn with a DNS address, or just set it to a URL-valid name that points to localhost in your /etc/hosts file.

– Ryder
Mar 19 at 10:30

















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958674%2fhow-do-i-debug-a-mariadb-ssl-connection%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

Why did Thanos need his ship to help him in the battle scene?Which actor plays Thanos in the Avengers mid-credits scene?Are there economic implications portrayed in comics where the buildings and cities are ruined almost daily?Old X-Men comic where team travels to alien world with a ring-like sun that needs recharging?Why does Ego need help sleeping?Is there an objective answer to who “the strongest Avenger” is?How did Banner get unstuck?Why did Thanos get hit?How did Thanos (or anyone) know the Infinity Stones would give him this power?Did Thanos leave Eitri alive for his after-sales service?In Avengers 1, why does Thanos need Loki?