I just setup an SSL connection for my MYSQL connection and a osquery #fleet

I just setup an SSL connection for my MYSQL connec...

ryan

04/27/2022, 5:03 PM

I just setup an SSL connection for my MYSQL connection and am getting this error

{"mysql":"could not connect to db: x509: cannot validate certificate for 1.1.1.1 because it doesn't contain any IP SANs

I can connect fine to the MYSQL instance from the server running fleet by adding the --ssl-cert --ssl-key and --ssl-ca

Copy code

mysql:
  address: 1.1.1.1:3306
  database: fleetdm
  username: user
  password: ':)'
  tls_ca: /etc/ssl/certs/server-ca.pem
  tls_cert: /etc/ssl/certs/mysql-fleet-cert.pem
  tls_key: /etc/ssl/certs/mysql-fleet-key.pem
  server_name: 1.1.1.1

What am I missing?

Keith Swagler

04/27/2022, 6:16 PM

Have you tried the hostname instead of IP? That error sounds like the certificate is issued for the hostname.

Kathy Satterlee

04/27/2022, 6:23 PM

I think @Keith Swagler is on the right track here, It sounds like you have your certificate set up with a hostname and the IP address isn't included as an SAN (Subject Alternative Name)

ryan

04/27/2022, 6:29 PM

🤔 I've tried with the server name and registered hostname also and can connect using the mysql client on the same system

Kathy Satterlee

04/27/2022, 8:47 PM

Is the error the exact same when using the hostname rather than the IP address for

address

ryan

04/27/2022, 8:49 PM

yes exact same

Kathy Satterlee

04/27/2022, 8:53 PM

What version of MySQL are you running?

ryan

04/27/2022, 8:53 PM

8.0

Kathy Satterlee

04/27/2022, 9:04 PM

When you're connected to the MySQL server, does running the

status

command show that SSL is actually in use?

Copy code

mysql> \s

Keith Swagler

04/28/2022, 12:32 AM

You could also use openssl like

openssl s_client -showcerts -connect 1.1.1.1:3306

ryan

04/28/2022, 1:32 PM

@Kathy Satterlee

Copy code

SSL:	Cipher in use is ECDHE-RSA-AES128-GCM-SHA256

ryan

04/28/2022, 3:52 PM

Can connect to the instance using the below, if I don't pass the -ssl parameters the connection fails

Copy code

mysql -u user -p -h 1.1.1.1 --ssl-ca=/etc/ssl/certs/server-ca.pem --ssl-cert=/etc/ssl/certs/mysql-fleet-cert.pem --ssl-key=/etc/ssl/certs/mysql-fleet-key.pem

Kathy Satterlee

04/28/2022, 4:29 PM

Thanks. I have some suspicions about what may be going on, but I'd like to double-check a couple of things. Bear with me.

👀 1

Kathy Satterlee

04/28/2022, 7:37 PM

Thanks for being patient there. There were some changes to SSL with MySQL 8 and I wanted to make sure I was familiar with the defaults. By default, MySQL doesn't much care about much except whether the cert is present. Try logging in to the MySQL server with ‘—ssl-mode=VERIFY_IDENTITY’ to more closely mirror the connection being made with Fleet

ryan

04/28/2022, 7:40 PM

@Kathy Satterlee that reproduces the error where I can't login anymore 👍

13 Views

Open in Slack

Previous Next