https://github.com/osquery/osquery logo
Join Slack
Powered by
hi all, i was wondering if anyone has any experien...
# fleet
j
hi all, i was wondering if anyone has any experience with troubleshooting connection issues with mysql? when I try and point our fleet instance to a new database it errors with this:
Copy code
Jun  5 14:24:16 osq-devfleet03 fleet[801411]: {"mysql":"could not connect to db: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match [REDACTED], sleeping 5s","ts":"2024-06-05T18:24:16.81599463Z"}
have messed with various tls options in fleet.conf and have not had any luck so not sure if it's fleet, the certs i was provided to point it to, or the mysql database server I'm trying to point it to.
d
@Jonathan Ober, this could be a couple things but I want to confirm that you do not get this error if you point your fleet instance back to your original database, correct?
I'd double check that the certificates and keys you have in your fleet config match the name for your new database: https://fleetdm.com/docs/configuration/fleet-server-configuration#mysql-tls-ca
j
Hi, yes the system works fine when pointed to the old server. this is the values i set for /etc/fleet/fleet.conf pertaining to the new db: 
FLEET_MYSQL_TLS_CONFIG= true
FLEET_MYSQL_ADDRESS=redactedfqdn:3306
FLEET_MY_SQL_DATABASE=redacted
FLEET_MYSQL_USERNAME=redacted
FLEET_MYSQL_PASSWORD=redacted
FLEET_MYSQL_TLS_SERVER_NAME=redactedfqdn
FLEET_MYSQL_TLS_CERT=/etc/fleet/ssl/client-cert.pem
FLEET_MYSQL_TLS_KEY=/etc/fleet/ssl/client-key.pem
FLEET_MYSQL_TLS_CA=/etc/fleet/ssl/ca.pem
is 
FLEET_MYSQL_TLS_SKIP_VERIFY=true
still a valid option? i dont see it in the doc you linked but came across it when googling around. i had tried setting that, but it didnt make a difference. I think youre right about the certs not having the name in them.
d
That 
FLEET_MYSQL_TLS_SKIP_VERIFY
doesn't seem to be a configuration option anymore. At least, I don't see it listed here: https://github.com/fleetdm/fleet/blob/1fac823fa9496e7f8ad666582149048517342c0b/docs/Configuration/fleet-server-configuration.md?plain=1#L138 It looks like you could use 
FLEET_MYSQL_TLS_CONFIG=skip-verify
though
j
that didn't work sadly. im pretty sure it's because my issuer CN reports back as this when i do 
openssl x509 -in /etc/fleet/ssl/ca.pem -text -noout
: 
Issuer: CN = MySQL_Server_8.0.37_Auto_Generated_CA_Certificate
is there a way to get more verbose logs than 
systemctl status fleet
or checking /var/log/messages? If tls is turned off on the DB server, it works. just trying to see if there's anything on the fleet side at this point
d
I don't think there's anything broken on the Fleet side. I think you need to get the ca.pem file from your new database, store that on your fleet server, and pass the file path to the updated ca.pem (new database) in your 
FLEET_MYSQL_TLS_CA
variable. But, if you want to get more verbose logs, you can enable debug mode 
FLEET_LOGGING_DEBUG=true
https://fleetdm.com/docs/configuration/fleet-server-configuration#logging-fleet-server-logging
j
got it working by setting 
FLEET_MYSQL_TLS_CONFIG= skip-verify
and commenting out the certificate values. i think the problem was due to the cert being automatically generated in mysql because the subject CN was 
Subject: CN = MySQL_Server_8.0.37_Auto_Generated_CA_Certificate
and not the FQDN of the server. since we verified the conneciton was encrypted we decided to just leave it at that. just posting this in case anyone else has this problem
3 Views
Open in Slack
PreviousNext
Powered by