[MDEV-33430] Command line client error ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT) - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 11.4
Fix Version/s: 11.4.2
Component/s: Platform Windows, Scripts & Clients, SSL
Labels:
None

Description

I install recent 11.4 on Windows. I connect with the client like this

C:\>mysql -uroot

I get an surprising, absolutely incomprehensible, for an average user, message

ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

Something went wrong with self-created certificates. I think it was meant to be transparent, in usual scenarios, like connecting with "mysql -uroot". It is not that.

Also, client started from elevated command line could, in the past, connect without password, or with wrong password due to user definition, that additionally allows local administrators to be authenticated as "root", via auth_gssapi

CREATE USER `root`@`localhost` IDENTIFIED VIA mysql_native_password USING '*E6CC90B878B948C35E92B003C792C46C58C4AF40' OR gssapi USING 'SID:BA

That does not work either, I can only connect via correct password in mysql_native_password. Wrong password (but admin user) now gives CERT_E_UNTRUSTEDROOT, where it worked in the past.

Correct password does not give untrusted root error, for the same, untrusted, generated certificate

Here are 4 attempts to connect, each behaving slightly differently. Sometimes the connection fails with CERT_E_UNTRUSTEDROOT, sometimes it fails with "Access denied (using password:YES) . Sometimes it succeeds. What is the logic?

PS C:\work\11.4\xxx\client\RelWithDebInfo> .\mysql

ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

PS C:\work\11.4\xxx\client\RelWithDebInfo> .\mysql  --password=1

ERROR 1045 (28000): Access denied for user 'wva72'@'localhost' (using password: YES)

PS C:\work\11.4\xxx\client\RelWithDebInfo> .\mysql -uroot --password=1

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 14

Server version: 11.4.0-MariaDB Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> quit

Bye

PS C:\work\11.4\xxx\client\RelWithDebInfo> .\mysql -uroot --password=2

ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

The last one should succeed, via auth_gssapi, since it is run from administrator shell, but it does not

Attachments

Issue Links

is caused by

MDEV-31856 use ephemeral ssl certificates

Closed

MDEV-31857 enable --ssl-verify-server-cert by default

Closed

is duplicated by

MDEV-33396 main.user_limits fails sporadically with CERT_E_UNTRUSTED_ROOT

Closed

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Vladislav Vaintroub

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-02-08 11:15

Updated:: 2024-02-09 19:45

Resolved:: 2024-02-09 19:43

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.