0

I want to connect with remote mysql database via mysqli function. Connection also requires SSL certificates in order to get access there. So my code looks like this: 

$db = array(
            "host" => "host",
            "user" => "user",
            "password" => "password",
            "dbName" => "dbName"
        );

        ini_set ('error_reporting', E_ALL);
        ini_set ('display_errors', '1');
        error_reporting (E_ALL|E_STRICT);

        $connection = mysqli_init();
        mysqli_options ($connection, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);

        $connection->ssl_set('/usr/local/certs/client-key.pem',
 '/usr/local/certs/client-cert.pem', '/usr/local/certs/server-ca.pem', NULL, NULL);
        $link = mysqli_real_connect ($connection, $db['host'],
 $db['user'], $db['password'], $db['dbName'], 3306, NULL, MYSQLI_CLIENT_SSL);

 if (!$link)
        {
            die ('Connect error (' . mysqli_connect_errno() . '): '
 . mysqli_connect_error() . "\n");
        } 
        else 
        {
            $response = $connection->query('SHOW TABLES;');
            $this->output->writeln($response);
            $connection->close();
        }

And then I get this error: 

PHP Warning:  mysqli_real_connect(): Peer certificate CN=`[project 
name]' did not match expected CN=`[IP address]`

I'm struggling with this error for few days. I'm also 100% sure that my certificates and paths are correct. How can I fix it and establish connection?

Improve this question
8
  • Possible duplicate of php 5.x 7.x, ssl pdo error: Peer certificate CN=`someName' did not match expected CN='someIP' Commented Dec 18, 2017 at 3:47
  • unfortunately it's not the same issue. Author of that topic used PDO not mysqli so I still don't know what I should fix in my code Commented Dec 18, 2017 at 4:01
  • Read more carefully! Their solution is completely unrelated of mysqli / PDO and has to do with how the CN is set on the cert. Commented Dec 18, 2017 at 4:03
  • So I should write something like "10.5.5.20 dbServer1.company.local" on my /etc/host file and then use dbServer1.company.local instead of regular IP address on my $db array in php file? Im sorry maybe it's bit silly question but I'm a newbie in PHP/mysql connections Commented Dec 18, 2017 at 4:17
  • In a certificate under "Issued To", you have "Common Name (CN)". There you can have one or more FQDNs or IP addresses. When you load the website with a domain name or IP that is not part of the CN, the certificate will be invalid for that session. Commented Dec 18, 2017 at 4:19

1 Answer 1

Reset to default
1

In my case I had to set MYSQLI_OPT_SSL_VERIFY_SERVER_CERT to false before it all worked.

Try the following instead:

mysqli_options ($connection, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, false);

Hope it works and also for the benefit of later readers.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Wouldn't this make the connection vulnerable to a man-in-the-middle attack?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.