Bug #100688 | Client cannot connect to remote mysql-server when the latter is configured with | ||
---|---|---|---|
Submitted: | 29 Aug 2020 8:55 | Modified: | 7 Nov 2020 10:09 |
Reporter: | Jean-christophe Manciot | Email Updates: | |
Status: | No Feedback | Impact on me: | |
Category: | MySQL Server | Severity: | S3 (Non-critical) |
Version: | 8.0.21 | OS: | Linux (Debian & Ubuntu) |
Assigned to: | MySQL Verification Team | CPU Architecture: | x86 |
Tags: | lets_encrypt, public_ca, SSL, tls |
[29 Aug 2020 8:55]
Jean-christophe Manciot
[29 Aug 2020 8:59]
Jean-christophe Manciot
The title has been trimmed: the original one was: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
[14 Sep 2020 15:08]
MySQL Verification Team
Hi, Sorry for the delay, I tested this on centos/oracle linux and on fedora and I was not able to reproduce the problem. I'll retest this on debian when I set one up but I have to check few things first - where is this binary of mysql coming from, are you sure you are installing deb files from the oracle? or you maybe used tar.gz distribution? Thanks Bogdan
[2 Oct 2020 9:42]
Jean-christophe Manciot
Sorry for the delay. I have downloaded from [official mysql site](https://dev.mysql.com/downloads/mysql/) & installed all relevant binary packages from mysql-server_8.0.21-1ubuntu20.04_amd64.deb-bundle.tar. On the remote server: # systemctl status mysql ● mysql.service - MySQL Community Server Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-10-02 11:31:56 CEST; 7min ago Docs: man:mysqld(8) http://dev.mysql.com/doc/refman/en/using-systemd.html Process: 502646 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS) Main PID: 502706 (mysqld) Status: "Server is operational" Tasks: 39 (limit: 9271) Memory: 343.6M CGroup: /system.slice/mysql.service └─502706 /usr/sbin/mysqld Oct 02 11:31:54 hostname systemd[1]: Starting MySQL Community Server... Oct 02 11:31:54 hostname mysqld[502706]: 2020-10-02T09:31:54.920409Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.21) starting as pro> Oct 02 11:31:54 hostname mysqld[502706]: 2020-10-02T09:31:54.931791Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started. Oct 02 11:31:56 hostname mysqld[502706]: 2020-10-02T09:31:56.010481Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended. Oct 02 11:31:56 hostname mysqld[502706]: 2020-10-02T09:31:56.113417Z 1 [Warning] [MY-012351] [InnoDB] Tablespace 1, name 'sys/sys_config', file './sy> Oct 02 11:31:56 hostname mysqld[502706]: 2020-10-02T09:31:56.197258Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: ':> Oct 02 11:31:56 hostname mysqld[502706]: 2020-10-02T09:31:56.508558Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed. Oct 02 11:31:56 hostname mysqld[502706]: 2020-10-02T09:31:56.508779Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. En> Oct 02 11:31:56 hostname mysqld[502706]: 2020-10-02T09:31:56.536119Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version> Oct 02 11:31:56 hostname systemd[1]: Started MySQL Community Server. On the local client: # openssl s_client -connect mysql.domain:3306 -name $(hostname).$(dnsdomainname) -servername mysql.domain -showcerts -state -status CONNECTED(00000003) SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:error in error 140189896140096:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 318 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
[6 Oct 2020 12:24]
MySQL Verification Team
Hi, I'm still not reproducing this. The difference is that I do use self signed self made certs and not lets_encrypt ones but it should be same. Have you tried removing the keys from the var/lib/ and copying your keys to the same dir with those names? Might be one of the debian "security" features (like selinux on redhat) all best Bogdan
[7 Oct 2020 8:46]
Jean-christophe Manciot
The whole point is about using a public certificate. You are unable to reproduce this issue because you're not using one such certificate. The files you're referring to are automatically created each time the systemd service is restarted, so your proposed trick cannot be implemented. All public certificate related files are readable by mysql user. Finally, selinux is not used. Instead, apparmor is and I have added the necessary configuration to allow mysql server to read the right folders and files.
[7 Oct 2020 10:09]
MySQL Verification Team
Hi, > The whole point is about using a public certificate. The public certifice should work exactly the same without any difference. > You are unable to reproduce this issue because you're not using one such certificate. I'm using cert generated by me (not one auto-generated) so it is "generated" certificate. The difference is I know this one is generated properly. I have no clue how lets_encrypt make those > The files you're referring to are automatically created each time the systemd > service is restarted, so your proposed trick cannot be implemented. Nope, the certs I tested are created as described in the manual https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html > All public certificate related files are readable by mysql user. > Finally, selinux is not used. Instead, apparmor is and I have added the necessary configuration to allow mysql server to read the right folders and files. Have you tried with self-signed certs made by you? So not the ones made by the lets_encrypt? as described https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html How exactly are you creating the lets_encrypt ones? You just certbot -domains x.y or ? Thanks Bogdan
[8 Nov 2020 1:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".