can't access mediawiki site with ssl database user
Question
I just added a remote database to my media wiki setup. I can access the database from the command line with a regular database user and using that info in the config the wiki site shows up in a browser and works.
But some of the data is sensitive so I need to add an ssl user to access the database.
If I add an ssl user to the db, I can also access it from the command line of the web server no problem:
[root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW DATABASES"
Enter password:
+--------------------+
| Database |
+--------------------+
| certs |
| information_schema |
| jfwiki |
| mysql |
| performance_schema |
+--------------------+
But with the ssl user in place in LocalSettings.php, I'm getting this response from the browser:
Sorry! This site is experiencing technical difficulties.
Try waiting a few minutes and reloading.
(Cannot access the database: Access denied for user 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (db.example.com))
You can try searching via Google in the meantime.
Note that their indexes of our content may be out of date.
JF Wiki WWW
This is what the grant for the user looks like in the database:
MariaDB [(none)]> show grants for 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for admin_ssl@ec2-xx-xx-xxx-xx.compute-1.amazonaws.com |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD '*somePasswordHash' REQUIRE SSL |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
I was just wondering what I'd need to do to make this work!! All suggestions welcomed.
2 answers
solution1
1 ACCPTED 2015-07-26 05:17:55
There isn't any fundamental difference between connecting via the command line MySQL client from your webserver and using MediaWiki; if one works and the other does not, you probably configured them differently. At a guess, the command line client uses ssl because it is enabled in my.cnf , but you did not set $wgDBssl or an equivalent setting.
solution2
0 2015-07-27 02:35:45
Yes, I realize you are correct that there is no fundamental difference in connecting from the mysql client on the command line to the db and using mediawiki.
I did have ssl configured for the client in my.cnf on the web server I was testing from:
[client]
ssl-ca=/opt/mysql/ca.crt
ssl-cert=/opt/mysql/ops.example.com.crt
ssl-key=/opt/mysql/ops.example.com.key
That's why I was able to connect from the web server to the DB using SSL.
The problem I found was that I didn't know and wasn't aware of the $wgDBssl setting.
I read about that here:
These were the settings in LocalSettings.php that got this working for me:
## Database settings
$wgLBFactoryConf['class'] = 'LBFactorySimple';
$wgDBservers = '';
$wgDBtype = "mysql";
$wgDBserver = "db.example.com";
$wgDBssl = 1;
$wgDBname = "jfwiki";
$wgDBuser = "admin_ssl";
$wgDBpassword = "secret";
I can now load the wiki page using SSL on the load balanced database VIP. And I have restored all web servers to the load balancing pool. And still the wiki site is working great!
Thanks for your input! Tim
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.