Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
r
ryan
04/27/2022, 5:03 PMI just setup an SSL connection for my MYSQL connection and am getting this error
{"mysql":"could not connect to db: x509: cannot validate certificate for 1.1.1.1 because it doesn't contain any IP SANsmysql:
address: 1.1.1.1:3306
database: fleetdm
username: user
password: ':)'
tls_ca: /etc/ssl/certs/server-ca.pem
tls_cert: /etc/ssl/certs/mysql-fleet-cert.pem
tls_key: /etc/ssl/certs/mysql-fleet-key.pem
server_name: 1.1.1.1k
Keith Swagler
04/27/2022, 6:16 PMHave you tried the hostname instead of IP? That error sounds like the certificate is issued for the hostname.
k
Kathy Satterlee
04/27/2022, 6:23 PMI think @Keith Swagler is on the right track here, It sounds like you have your certificate set up with a hostname and the IP address isn't included as an SAN (Subject Alternative Name)
r
ryan
04/27/2022, 6:29 PM🤔 I've tried with the server name and registered hostname also and can connect using the mysql client on the same system
k
Kathy Satterlee
04/27/2022, 8:47 PMIs the error the exact same when using the hostname rather than the IP address for
addressr
ryan
04/27/2022, 8:49 PMyes exact same
k
Kathy Satterlee
04/27/2022, 8:53 PMWhat version of MySQL are you running?
r
ryan
04/27/2022, 8:53 PM8.0
k
Kathy Satterlee
04/27/2022, 9:04 PMWhen you're connected to the MySQL server, does running the
statusmysql> \sk
Keith Swagler
04/28/2022, 12:32 AMYou could also use openssl like
openssl s_client -showcerts -connect 1.1.1.1:3306r
ryan
04/28/2022, 1:32 PM@Kathy Satterlee
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256Can connect to the instance using the below, if I don't pass the -ssl parameters the connection fails
mysql -u user -p -h 1.1.1.1 --ssl-ca=/etc/ssl/certs/server-ca.pem --ssl-cert=/etc/ssl/certs/mysql-fleet-cert.pem --ssl-key=/etc/ssl/certs/mysql-fleet-key.pemk
Kathy Satterlee
04/28/2022, 4:29 PMThanks. I have some suspicions about what may be going on, but I'd like to double-check a couple of things. Bear with me.
👀 1
Thanks for being patient there. There were some changes to SSL with MySQL 8 and I wanted to make sure I was familiar with the defaults. By default, MySQL doesn't much care about much except whether the cert is present. Try logging in to the MySQL server with ‘—ssl-mode=VERIFY_IDENTITY’ to more closely mirror the connection being made with Fleet
r
ryan
04/28/2022, 7:40 PM@Kathy Satterlee that reproduces the error where I can't login anymore 👍