Mysql 使用证书的 SSL 连接特定问题
Mysql SSL connection specific problem with using certificates
问题:当我尝试使用证书时,无法在远程 MySql 服务器和我的本地计算机之间建立连接。
- Mysql 版本:Ver 14.14 Distrib 5.7.31,用于 Linux (x86_64) 使用 EditLine wrapper
- 本图 18.04.3 LTS
我在新的 Ubuntu 服务器上创建了新的 Mysql 实例。我已经通过脚本创建了用户:
CREATE USER 'sammy'@'MY_COMPUTER_IP' IDENTIFIED WITH mysql_native_password BY 'password';
当我输入 SHOW GLOBAL VARIABLES LIKE '%ssl%'; 时,我看到:
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
我还可以看到(默认情况下)证书位于 /var/lib/mysql/:
root@xxxxxx:/var/log/mysql# sudo find /var/lib/mysql -name '*.pem' -ls
258224 4 -rw------- 1 mysql mysql 1676 Aug 12 15:34 /var/lib/mysql/server-key.pem
258226 4 -rw------- 1 mysql mysql 1680 Aug 12 15:34 /var/lib/mysql/client-key.pem
258225 4 -rw------- 1 mysql mysql 1112 Aug 12 15:34 /var/lib/mysql/server-cert.pem
258227 4 -rw------- 1 mysql mysql 1112 Aug 12 15:34 /var/lib/mysql/client-cert.pem
258223 4 -rw------- 1 mysql mysql 2224 Aug 12 17:01 /var/lib/mysql/ca.pem
258523 4 -rw------- 1 mysql mysql 452 Aug 12 15:34 /var/lib/mysql/public_key.pem
258495 4 -rw------- 1 mysql mysql 1680 Aug 12 15:34 /var/lib/mysql/private_key.pem
258222 4 -rw------- 1 mysql mysql 1676 Aug 12 15:34 /var/lib/mysql/ca-key.pem
这是我的 /etc/mysql/my.cnf 文件的样子:
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
[mysqld]
require_secure_transport = ON
bind-address = thie_is_myserver_address_ip
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
更改后 运行:
sudo systemctl restart mysql
我已将以下证书复制到我的本地计算机:
- /var/lib/mysql/ca.pem
- /var/lib/mysql/client-cert.pem
- /var/lib/mysql/client-key.pem
我尝试使用登录名和密码通过 mysqlWorkbench 登录,我已将这 3 个证书添加到 SSL 选项卡中,但没有成功...
现在我收到错误:
SSL connection error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
错误日志(/var/log/mysql/error.log):
2020-08-12T20:22:48.398042Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2020-08-12T20:22:48.400817Z 0 [Note] /usr/sbin/mysqld (mysqld 5.7.31-0ubuntu0.18.04.1) starting as process 6428 ...
2020-08-12T20:22:48.407237Z 0 [Note] InnoDB: PUNCH HOLE support available
2020-08-12T20:22:48.407288Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2020-08-12T20:22:48.407302Z 0 [Note] InnoDB: Uses event mutexes
2020-08-12T20:22:48.407312Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2020-08-12T20:22:48.407322Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2020-08-12T20:22:48.407332Z 0 [Note] InnoDB: Using Linux native AIO
2020-08-12T20:22:48.407814Z 0 [Note] InnoDB: Number of pools: 1
2020-08-12T20:22:48.407982Z 0 [Note] InnoDB: Using CPU crc32 instructions
2020-08-12T20:22:48.412789Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2020-08-12T20:22:48.426101Z 0 [Note] InnoDB: Completed initialization of buffer pool
2020-08-12T20:22:48.429598Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2020-08-12T20:22:48.442195Z 0 [Note] InnoDB: Highest supported file format is Barracuda.
2020-08-12T20:22:48.457283Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2020-08-12T20:22:48.457488Z 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2020-08-12T20:22:48.497583Z 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2020-08-12T20:22:48.499136Z 0 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
2020-08-12T20:22:48.499162Z 0 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
2020-08-12T20:22:48.499694Z 0 [Note] InnoDB: Waiting for purge to start
2020-08-12T20:22:48.550043Z 0 [Note] InnoDB: 5.7.31 started; log sequence number 2721125
2020-08-12T20:22:48.550897Z 0 [Note] Plugin 'FEDERATED' is disabled.
2020-08-12T20:22:48.556599Z 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2020-08-12T20:22:48.559994Z 0 [Note] InnoDB: Buffer pool(s) load completed at 200812 20:22:48
2020-08-12T20:22:48.569386Z 0 [Note] Skipping generation of SSL certificates as options related to SSL are specified.
2020-08-12T20:22:48.570843Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
2020-08-12T20:22:48.571010Z 0 [Note] Server hostname (bind-address): 'xx.xxx.xx.xx'; port: 3306
2020-08-12T20:22:48.571043Z 0 [Note] - 'xxx.xxx.xxx.xxx' resolves to 'xx.xx.xx.xx';
2020-08-12T20:22:48.571103Z 0 [Note] Server socket created on IP: 'xx.xx.xx.xx'.
2020-08-12T20:22:48.588243Z 0 [Note] Event Scheduler: Loaded 0 events
2020-08-12T20:22:48.588702Z 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.7.31-0ubuntu0.18.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
2020-08-12T20:23:23.485022Z 2 [Note] Bad handshake
2020-08-12T20:24:27.578481Z 3 [Note] Bad handshake
当我尝试通过为客户端添加配置(在 /etc/mysql/my.cnf 文件中)在本地连接到远程服务器时:
[client]
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
然后我重置 mysql 并尝试在本地登录我收到:
root@xxxxxx:/var/log/mysql# mysql -u root -p
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
当我从 my.cnf 文件中删除证书路径时,它与 opu 证书一起工作。
但是我必须 运行 这个有证书。
我做错了什么?谢谢指教!
其实我忘了这个命令
CREATE USER 'mysql_user'@'your_mysql_client_IP' IDENTIFIED BY 'password' REQUIRE X509;
我推荐这 2 个简单的教程来使用 SSL/TLS 证书设置您的 mysql 数据库:
目前在第 1 点。全新安装已包含生成的证书,因此您不必生成新证书。如果你真的想生成新证书或者你想刷新旧证书(默认证书的有效期为356)你可以使用这个命令:
sudo mysql_ssl_rsa_setup --uid=mysql
或者您可以通过本教程手动生成它:
并将新证书放入此文件夹:
/var/lib/mysql/
问题:当我尝试使用证书时,无法在远程 MySql 服务器和我的本地计算机之间建立连接。
- Mysql 版本:Ver 14.14 Distrib 5.7.31,用于 Linux (x86_64) 使用 EditLine wrapper
- 本图 18.04.3 LTS
我在新的 Ubuntu 服务器上创建了新的 Mysql 实例。我已经通过脚本创建了用户:
CREATE USER 'sammy'@'MY_COMPUTER_IP' IDENTIFIED WITH mysql_native_password BY 'password';
当我输入 SHOW GLOBAL VARIABLES LIKE '%ssl%'; 时,我看到:
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
我还可以看到(默认情况下)证书位于 /var/lib/mysql/:
root@xxxxxx:/var/log/mysql# sudo find /var/lib/mysql -name '*.pem' -ls
258224 4 -rw------- 1 mysql mysql 1676 Aug 12 15:34 /var/lib/mysql/server-key.pem
258226 4 -rw------- 1 mysql mysql 1680 Aug 12 15:34 /var/lib/mysql/client-key.pem
258225 4 -rw------- 1 mysql mysql 1112 Aug 12 15:34 /var/lib/mysql/server-cert.pem
258227 4 -rw------- 1 mysql mysql 1112 Aug 12 15:34 /var/lib/mysql/client-cert.pem
258223 4 -rw------- 1 mysql mysql 2224 Aug 12 17:01 /var/lib/mysql/ca.pem
258523 4 -rw------- 1 mysql mysql 452 Aug 12 15:34 /var/lib/mysql/public_key.pem
258495 4 -rw------- 1 mysql mysql 1680 Aug 12 15:34 /var/lib/mysql/private_key.pem
258222 4 -rw------- 1 mysql mysql 1676 Aug 12 15:34 /var/lib/mysql/ca-key.pem
这是我的 /etc/mysql/my.cnf 文件的样子:
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
[mysqld]
require_secure_transport = ON
bind-address = thie_is_myserver_address_ip
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
更改后 运行:
sudo systemctl restart mysql
我已将以下证书复制到我的本地计算机:
- /var/lib/mysql/ca.pem
- /var/lib/mysql/client-cert.pem
- /var/lib/mysql/client-key.pem
我尝试使用登录名和密码通过 mysqlWorkbench 登录,我已将这 3 个证书添加到 SSL 选项卡中,但没有成功...
现在我收到错误:
SSL connection error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
错误日志(/var/log/mysql/error.log):
2020-08-12T20:22:48.398042Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2020-08-12T20:22:48.400817Z 0 [Note] /usr/sbin/mysqld (mysqld 5.7.31-0ubuntu0.18.04.1) starting as process 6428 ...
2020-08-12T20:22:48.407237Z 0 [Note] InnoDB: PUNCH HOLE support available
2020-08-12T20:22:48.407288Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2020-08-12T20:22:48.407302Z 0 [Note] InnoDB: Uses event mutexes
2020-08-12T20:22:48.407312Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2020-08-12T20:22:48.407322Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2020-08-12T20:22:48.407332Z 0 [Note] InnoDB: Using Linux native AIO
2020-08-12T20:22:48.407814Z 0 [Note] InnoDB: Number of pools: 1
2020-08-12T20:22:48.407982Z 0 [Note] InnoDB: Using CPU crc32 instructions
2020-08-12T20:22:48.412789Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2020-08-12T20:22:48.426101Z 0 [Note] InnoDB: Completed initialization of buffer pool
2020-08-12T20:22:48.429598Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2020-08-12T20:22:48.442195Z 0 [Note] InnoDB: Highest supported file format is Barracuda.
2020-08-12T20:22:48.457283Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2020-08-12T20:22:48.457488Z 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2020-08-12T20:22:48.497583Z 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2020-08-12T20:22:48.499136Z 0 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
2020-08-12T20:22:48.499162Z 0 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
2020-08-12T20:22:48.499694Z 0 [Note] InnoDB: Waiting for purge to start
2020-08-12T20:22:48.550043Z 0 [Note] InnoDB: 5.7.31 started; log sequence number 2721125
2020-08-12T20:22:48.550897Z 0 [Note] Plugin 'FEDERATED' is disabled.
2020-08-12T20:22:48.556599Z 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2020-08-12T20:22:48.559994Z 0 [Note] InnoDB: Buffer pool(s) load completed at 200812 20:22:48
2020-08-12T20:22:48.569386Z 0 [Note] Skipping generation of SSL certificates as options related to SSL are specified.
2020-08-12T20:22:48.570843Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
2020-08-12T20:22:48.571010Z 0 [Note] Server hostname (bind-address): 'xx.xxx.xx.xx'; port: 3306
2020-08-12T20:22:48.571043Z 0 [Note] - 'xxx.xxx.xxx.xxx' resolves to 'xx.xx.xx.xx';
2020-08-12T20:22:48.571103Z 0 [Note] Server socket created on IP: 'xx.xx.xx.xx'.
2020-08-12T20:22:48.588243Z 0 [Note] Event Scheduler: Loaded 0 events
2020-08-12T20:22:48.588702Z 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.7.31-0ubuntu0.18.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
2020-08-12T20:23:23.485022Z 2 [Note] Bad handshake
2020-08-12T20:24:27.578481Z 3 [Note] Bad handshake
当我尝试通过为客户端添加配置(在 /etc/mysql/my.cnf 文件中)在本地连接到远程服务器时:
[client]
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
然后我重置 mysql 并尝试在本地登录我收到:
root@xxxxxx:/var/log/mysql# mysql -u root -p
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
当我从 my.cnf 文件中删除证书路径时,它与 opu 证书一起工作。 但是我必须 运行 这个有证书。
我做错了什么?谢谢指教!
其实我忘了这个命令
CREATE USER 'mysql_user'@'your_mysql_client_IP' IDENTIFIED BY 'password' REQUIRE X509;
我推荐这 2 个简单的教程来使用 SSL/TLS 证书设置您的 mysql 数据库:
目前在第 1 点。全新安装已包含生成的证书,因此您不必生成新证书。如果你真的想生成新证书或者你想刷新旧证书(默认证书的有效期为356)你可以使用这个命令:
sudo mysql_ssl_rsa_setup --uid=mysql
或者您可以通过本教程手动生成它:
并将新证书放入此文件夹:
/var/lib/mysql/