https://github.com/osquery/osquery logo
Title
r

ryan

04/27/2022, 5:03 PM
I just setup an SSL connection for my MYSQL connection and am getting this error
{"mysql":"could not connect to db: x509: cannot validate certificate for 1.1.1.1 because it doesn't contain any IP SANs
I can connect fine to the MYSQL instance from the server running fleet by adding the --ssl-cert --ssl-key and --ssl-ca
mysql:
  address: 1.1.1.1:3306
  database: fleetdm
  username: user
  password: ':)'
  tls_ca: /etc/ssl/certs/server-ca.pem
  tls_cert: /etc/ssl/certs/mysql-fleet-cert.pem
  tls_key: /etc/ssl/certs/mysql-fleet-key.pem
  server_name: 1.1.1.1
What am I missing?
k

Keith Swagler

04/27/2022, 6:16 PM
Have you tried the hostname instead of IP? That error sounds like the certificate is issued for the hostname.
k

Kathy Satterlee

04/27/2022, 6:23 PM
I think @Keith Swagler is on the right track here, It sounds like you have your certificate set up with a hostname and the IP address isn't included as an SAN (Subject Alternative Name)
r

ryan

04/27/2022, 6:29 PM
🤔 I've tried with the server name and registered hostname also and can connect using the mysql client on the same system
k

Kathy Satterlee

04/27/2022, 8:47 PM
Is the error the exact same when using the hostname rather than the IP address for
address
?
r

ryan

04/27/2022, 8:49 PM
yes exact same
k

Kathy Satterlee

04/27/2022, 8:53 PM
What version of MySQL are you running?
r

ryan

04/27/2022, 8:53 PM
8.0
k

Kathy Satterlee

04/27/2022, 9:04 PM
When you're connected to the MySQL server, does running the
status
command show that SSL is actually in use?
mysql> \s
k

Keith Swagler

04/28/2022, 12:32 AM
You could also use openssl like
openssl s_client -showcerts -connect 1.1.1.1:3306
r

ryan

04/28/2022, 1:32 PM
@Kathy Satterlee
SSL:	Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Can connect to the instance using the below, if I don't pass the -ssl parameters the connection fails
mysql -u user -p -h 1.1.1.1 --ssl-ca=/etc/ssl/certs/server-ca.pem --ssl-cert=/etc/ssl/certs/mysql-fleet-cert.pem --ssl-key=/etc/ssl/certs/mysql-fleet-key.pem
k

Kathy Satterlee

04/28/2022, 4:29 PM
Thanks. I have some suspicions about what may be going on, but I'd like to double-check a couple of things. Bear with me.
👀 1
Thanks for being patient there. There were some changes to SSL with MySQL 8 and I wanted to make sure I was familiar with the defaults. By default, MySQL doesn't much care about much except whether the cert is present. Try logging in to the MySQL server with ‘—ssl-mode=VERIFY_IDENTITY’ to more closely mirror the connection being made with Fleet
r

ryan

04/28/2022, 7:40 PM
@Kathy Satterlee that reproduces the error where I can't login anymore 👍