MariaDB SSL 使用自签名客户端证书和letsencrypt签名服务器证书

Question

How can I use self signed certs for encrypting client communications with MariaDB when the server side certificates are done via letsencrypt?

Most tutorials I've found, like https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/ , show you how to setup both server and client side certificates as self signed, sharing the same CA (Certificate Authority) certificate. This way works as expected, and when I connect to the DB via the command line it works with client side encryption.

/etc/my.cnf:

[mariadb]
ssl_cert=/certs/server-cert.pem
ssl_key=/certs/server-key.pem
ssl_ca=/certs/ca-cert.pem

/etc/mysql/mariadb.conf.d/50-mysql-clients.cnf:

[mysql]
ssl-ca=/certs/ca-cert.pem
ssl-cert=/certs/client-cert.pem
ssl-key=/certs/client-key.pem

With this configuration this command works: mysql -u root -p -h mysite.com --port=3310 --protocol=TCP --ssl-cert=/certs/client-cert.pem --ssl-key=/certs/client-key.pem --ssl-ca=/certs/ca-cert.pem --ssl-verify-server-cert

Note that I generated ca-cert.pem myself and used it to sign both the server and client certs, and that these certs verified correctly and after logging in and checking the servers status it indicates that SSL is being used.

This setup worked fine during development, but now my database is in production and I want to use letsencrypt certificates in my services. If I replace the server side certificates in my /etc/my.cnf file with the ones that letsencrypt gives me like so:

/etc/my.cnf:

[mariadb]
ssl_cert=/certs/cert.pem
ssl_key=/certs/privkey.pem
ssl_ca=/certs/chain.pem

but leave the 50-mysql-clients.cnf file with the self signed client certs as is, it no longer lets me log in using the certs. If i no longer try and use the client certs it still lets me log in using SSL, and a status check indicates that it is still using ssl, but the documentation says that this way the client packets aren't encrypted, only the servers.

Command that works: mysql -u root -p -h mysite.com --port=3310 --protocol=TCP --ssl-verify-server-cert

Command from before that no longer works: mysql -u root -p -h mysite.com --port=3310 --protocol=TCP --ssl-cert=/certs/client-cert.pem --ssl-key=/certs/client-key.pem --ssl-ca=/certs/ca-cert.pem --ssl-verify-server-cert

Error Message: ERROR 2026 (HY000): SSL connection error: unable to get local issuer certificate

Using the server certs letsencrypt generates in the command also doesn't work: mysql -u root -p -h mysite.com --port=3310 --protocol=TCP --ssl-ca=/certs/chain.pem --ssl-cert=/certs/cert.pem --ssl-key=/certs/privkey.pem --ssl-verify-server-cert

Error Message: ERROR 2026 (HY000): SSL connection error: unable to get issuer certificate

status check:

MariaDB [(none)]> status
--------------
mysql  Ver 15.1 Distrib 10.5.8-MariaDB, for osx10.15 (x86_64) using readline 5.1

Connection id:      4
Current database:
Current user:       root@myipaddress
SSL:            Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:      less
Using outfile:      ''
Using delimiter:    ;
Server:         MariaDB
Server version:     10.5.4-MariaDB-1:10.5.4+maria~focal mariadb.org binary distribution
Protocol version:   10
Connection:     mysite.com via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:       3310
Uptime:         3 min 33 sec

How can I still do 2 way ssl encryption with both client and server when using letsencrypt certificates with MariaDB?

Answer 1

Too long for a comment..

1. One way TLS means, that the server sends his certificate to the client, and the client verifies it. Two way TLS means, that the client sends also his certificate to the server and the server verifies the client certificate. Latter one happens only, if the REQUIRE X509, REQUIRE SUBJECT, and/or REQUIRE ISSUER clauses are specified for the account. If no REQUIRE was specified, you don't have to specify a client certificate.

2. Regardless of one or two way a TLS connection always sends encrypted data in both directions (unless OpenSSL was built with NONE cipher support and client specified NONE cipher).

3. Error message: "unable to get local issuer certificate" means that something in the root certificate chain is missing. If it's not a self signed certificate, you should verify it with system ca (without specifying ssl-ca or ssl-ca-path) or add the server certificate to your ca file.