Bug #69773 Generate SSL certs documentation: unique Common Names required
Submitted: 18 Jul 2013 2:25 Modified: 25 Jul 2013 14:44
Reporter: Jesper wisborg Krogh Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S2 (Serious)
Version:5.6 OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[18 Jul 2013 2:25] Jesper wisborg Krogh 
Description:
The instructions on how to create SSL certificates and keys in https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-certs.html will not work with servers compiled with openssl if you use the same "Common Name" for either server and client certificates/keys as was used for the CA certificate.

So the documentation should be updated with a note for this.

The error you typically get if you try to use the certificate and connect is:

ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

See also the comment at the bottom of https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-certs.html .

For MySQL compiled with yassl, the certificates and keys work.

How to repeat:
Follow the instructions on https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-certs.html - this applies both to example 1 and example 2.

When asked for the Common Name, enter the same string for all three cases.

The verification now has warnings:
sslcerts$ openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: C = XX, L = Default City, O = Default Company Ltd, CN = John Doe, emailAddress = john.doe@example.com
error 18 at 0 depth lookup:self signed certificate
OK
client-cert.pem: C = XX, L = Default City, O = Default Company Ltd, CN = John Doe, emailAddress = john.doe@example.com
error 18 at 0 depth lookup:self signed certificate
OK

Start MySQL (using openssl) and try to connect.

shell$ mysql
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Suggested fix:
Add note that it is important when using the certificates/keys with openssl builds of MySQL that the Common Name used for the CA certificate is different from the one used for the server/client certificates.
[25 Jul 2013 14:44] Paul DuBois 
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

I'm adding this near the top of the page, before Example 1.

Important

Whatever method you use to generate the certificate and key files,
the Common Name value used for the server and client
certificates/keys must each differ from the Common Name value used
for the CA certificate. Otherwise, the certificate and key files will 
not work for servers compiled using OpenSSL. A typical error in this
case is: 

ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)