Cant connect to mysql using self signed SSL certificate

mysql ssl ssl-certificate mysql5 mysql5.5

42,600

Solution 1

Yes, you are correct that if you don't specify --ssl-ca then the client does not check the server certificate at all. Since it works without that option the most likely reason for the failure is that the client doesn't trust the server certificate.

If you are using self-signed client and server certificates then the ca.cert file should include both these files. That way the client will trust the server certificate and the server will trust the client certificate.

For example:
Generate the server key and certificate:

$ openssl req -x509 -newkey rsa:1024 \
         -keyout server-key-enc.pem -out server-cert.pem \
         -subj '/DC=com/DC=example/CN=server' -passout pass:qwerty

$ openssl rsa -in server-key-enc.pem -out server-key.pem \
         -passin pass:qwerty -passout pass:

Generate the client key and certificate:

$ openssl req -x509 -newkey rsa:1024 \
         -keyout client-key-enc.pem -out client-cert.pem \
         -subj '/DC=com/DC=example/CN=client' -passout pass:qwerty

$ openssl rsa -in client-key-enc.pem -out client-key.pem \
         -passin pass:qwerty -passout pass:

Combine the client and server certificates into the CA certificates file:

$ cat server-cert.pem client-cert.pem > ca.pem

Solution 2

To use one way ssl, you should try with:

mysql -u <user> -p --ssl=1 --ssl-ca=ca.cert --ssl-verify-server-cert

The --ssl-cert and --ssl-key on the mysql client are used for 2 way SSL. This means certificate based authentication. The subject of the client certificate should be the username.

Solution 3

By any chance, have not you entered the same Common Name for server and client certs? If yes, replace one of them so that Common Names are different.

42,600

carpii

Updated on September 18, 2022

Comments

carpii over 1 year
After creating a self-signed SSL certificate, I have configured my remote MySQL server to use them (and SSL is enabled)

I ssh into my remote server, and try connecting to its own mysqld using SSL (MySQL server is 5.5.25)..
```
mysql -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert
Enter password: 
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
```
Ok, I remember reading theres some problem with connecting to the same server via SSL. So I download the client keys down to my local box, and test from there...
```
mysql -h <server> -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert 
Enter password: 
ERROR 2026 (HY000): SSL connection error
```
Its unclear what this "SSL connection error" error refers to, but if I omit the -ssl-ca, then I am able to connect using SSL..
```
mysql -h <server> -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key 
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.25 MySQL Community Server (GPL)
```
However, I believe that this is only encrypting the connection, and not actually verifying the validity of the cert (meaning I would be potentially vulnerable to man-in-middle attack)

The SSL certs are valid (albeit self signed), and do not have a passphrase on them. So my question is, what am I doing wrong? How can I connect via SSL, using a self signed certificate?

MySQL Server version is 5.5.25 and the server and clients are CentOS 5.

Thanks for any advice

Edit: Note that in all cases, the command is being issued from the same directory where the ssl keys reside (hence no absolute path)

Edit (in response to mgorven): ca.cert is the Certificate Authority certificate, which is supposed to tell mysql that my certificate authority is trusted.

The config from my.cnf is
```
[mysqld]
ssl-ca=/etc/ssl/mysql/ca.cert
ssl-cert=/etc/ssl/mysql/server.cert
ssl-key=/etc/ssl/mysql/server.key
```
I also tried adding ssl-cipher=DHE-RSA-AES256-SHA but have since removed it as it didn't help.
- mgorven almost 12 years
  
  What is ca.cert? Is it the server's self signed certificate? Are you using client certificates for authentication? Please provide the SSL related configuration on the server.
carpii almost 12 years

Thankyou so much! The missing step is that I was not concatenating server and client certs into a ca.pem. I was instead passing the ca.cert which was generated initially (and then passed as --CA-key when generating client and server certs)
Dmitry Leskov almost 12 years

Strange, but it always worked for me with just one CA cert - the same on client and server.
Keith Burdis almost 12 years

Yes, as long as there are no special requirements for the DN - for example the CN being a specific value - then you can use the same key and self-signed certificate on the client and the server.
Keith Burdis almost 12 years

Also bear in mind that when making a socket connection and using --ssl-verify-server-cert the CN of the server certificate must be the same as the host you specify for the -h command-line option.
gmas about 9 years

For me, Dmitry Leskov's solution worked. Per MySQL's SSL documentation: (dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html) > Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
waltmagic about 2 years

Just ran into this. Thanks for sharing.