4

By trying to setup Mysql over SSL on RHEL6 I'm facing an error any time I ask mysql client to verify the self-signed certs :

mysql --ssl-ca=/tmp/newcerts/ca.pem \
 --ssl-cert=/tmp/newcerts/client-cert.pem \
 --ssl-key=/tmp/newcerts/client-key.pem \
 -h IP.IP.IP.IP -u USER -p \
 --ssl-verify-server-cert=true

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

In the case where I set --ssl-verify-server-cert=false mysql does not verify the self-signed certs and start the secure connexion.

I've used the Mysql HowTo article to create my self-signed certificate : https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html and the openssl verify command is returning :

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

server-cert.pem: OK
client-cert.pem: OK

The ca.pem & client-cert.pem & server-cert.pem have been created with a different Common Name as Node1 for ca.pem, Node2 for client-cert.pem, Node3 for server-cert.pem

Param loaded into Mysql during startup :

ssl-ca=/tmp/newcerts/ca.pem
ssl-cert=/tmp/newcerts/server-cert.pem
ssl-key=/tmp/newcerts/server-key.pem

Then I've added the ca.pem to the server by following those steps for RHEL6 :

update-ca-trust force-enable
cp /tmp/newcerts/ca.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

I'm guessing with a proper cert verified by a trusted third party I should not have this error but I need to verify that it work with a self-signed cert.

I running out of idea to get this working. Does someone already faced a similar issue?

Improve this question
3
  • 1
    I guess you need to add your ca.pem to your trusted root certificates, otherwise the server tries to verify that certificate up the cert chain but is unable to find a trusted cert that signs down the chain Commented Oct 30, 2017 at 21:32
  • Thanks for the response. Good idea, I'm going to give a try and post the result! Commented Oct 31, 2017 at 8:18
  • I've edit my post with the update-ca commands to add the ca.pem to the trusted root certificates of the servers but I'm still facing the issue. Do you think the new commands listed in the post are correct? Commented Oct 31, 2017 at 9:26

1 Answer 1

Reset to default
4

In my case (and for a self-signed certificate) the solution was :

  • No need to add ca.pem to the trusted root certificates
  • Need to set the CN of the server-cert.pem as the mysqlserverhostname
  • Make sure to resolve mysqlserverhostname from your client
  • Replace -h IP.IP.IP.IP -u USER -p by -h mysqlserverhostname -u USER -p

My error was to follow the Mysql doc instructions where the quote "To generate test files, you can press Enter to all prompts" seems incorrect where I had to set the CN of the server-cert.pem as the mysqlserverhostname to resolve the issue.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

could you please name an example for your third bullet?
@JohnTriantafillakis make sure you can access the mysql server host from your client, eg telnet localhost 3306

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.