Cakephp 3 - MySQL connection over SSL

Question

i have a question about connecting to a mySQL-Server via SSL with CakePHP 3. I know that's maybe more a PHP question but I just write here the framework which I use.

So I setup a remote mysql server and wanted to connect CakePHP with it. Unfortunately I got the MySQL-error:

SQLSTATE[HY000] [3159] Connections using insecure transport are prohibited while --require_secure_transport=ON. 

Cause I configure the server only allow secure connection. After that I searched through the Cakephp documentation about secure connection and found the ssl certificate. Here's my setup:

config.php

'Datasources' => [
    'default' => [
        'className' => 'Cake\Database\Connection',
        'driver' => 'Cake\Database\Driver\Mysql',
        'persistent' => false,
        'host' => 'remote-ip',
        /**
         * CakePHP will use the default DB port based on the driver selected
         * MySQL on MAMP uses port 8889, MAMP users will want to uncomment
         * the following line and set the port accordingly
         */
        //'port' => 'non_standard_port_number',
        'username' => 'my_user',
        'password' => 'my_password',
        'database' => 'my_database',
        'encoding' => 'utf8',
        'timezone' => 'UTC',
        'flags' => [],
        'cacheMetadata' => true,
        'ssl_key' => '/home/my-user/client-ssl/client-key.pem',
        'ssl_cert' => '/home/my-user/client-ssl/client-cert.pem',
        'ssl_ca' => '/home/my-user/client-ssl/ca.pem',
        'log' => false,

Unfortunately I just got the following error:

SQLSTATE[HY000] [2002]

As far as I know everything should be setup correctly with the certificate cause I can use the terminal and sequel to login with the certs like so:

mysql -u my_user -h remote_ip -p --ssl-ca=~/client-ssl/ca.pem --ssl-cert=~/client-ssl/client-cert.pem --ssl-key=~/client-ssl/client-key.pem

If I try some raw php like this (of course with my informations):

<?php
ini_set ('error_reporting', E_ALL);
ini_set ('display_errors', '1');
error_reporting (E_ALL|E_STRICT);

$db = mysqli_init();
mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);

$db->ssl_set('/etc/mysql/ssl/client-key.pem', '/etc/mysql/ssl/client-cert.pem', '/etc/mysql/ssl/ca-cert.pem', NULL, NULL);
$link = mysqli_real_connect ($db, 'ip', 'user', 'pass', 'db', 3306, NULL, MYSQLI_CLIENT_SSL);
if (!$link)
{
    die ('Connect error (' . mysqli_connect_errno() . '): ' . mysqli_connect_error() . "\n");
} else {
    $res = $db->query('SHOW TABLES;');
    print_r ($res);
    $db->close();
}
?>

I got:

PHP Warning: mysqli_real_connect(): Peer certificate CN= MySQL_Server_5.7.20_Auto_Generated_Server_Certificate' did not match expected CN= remote_ip'

So my question is now. Does someone has similiar problems or can help me with the certificate? (I use ubuntu 16, php 7) Or is there another way to solve the "Connections using insecure transport ..."-error?

Answer 1

What that error ( Peer certificate CN=... ) is telling you, is that the autogenerated certificate was created for an IP or domain-name, (perhaps 127.0.0.1?) other than the one you are connected with. Make sure you have a certificate for whatever 'remote-ip' is.

Most likely, the host entry in config.php is incorrect. Try setting it to your domain-name, server-ip, or even 'localhost'.

'host' => 'remote-ip',

generate a certificate.

It is also possible you're running into another issue already solved:

PHP MySQL over SSL. Peer certificate did not match