[MDEV-20404] Validation of SSL server certificate failed Created: 2019-08-22  Updated: 2023-10-03  Resolved: 2023-10-03

Status: Closed
Project: MariaDB Server
Component/s: Platform Debian, SSL
Affects Version/s: 10.3
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: e.ms Assignee: Georg Richter
Resolution: Incomplete Votes: 0
Labels: ECC384, client-zertifikat, mariadb, ssl
Environment:

Debian Buster

Issue Links:
Relates
relates to MDEV-23740 ssl connection fails when server and ... Closed

 Description   

Ich habe eine MariaDB Installation unter Debian Buster und komme mit der SSL Verschlüsselung nicht weiter. Ich bin wie folgt vorgegangen:

*sudo apt install software-properties-common dirmngr
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64] http://ftp.hosteurope.de/mirror/mariadb.org/repo/10.3/debian stretch main'
sudo apt update
sudo apt install mariadb-server-10.3 libmariadbclient18
sudo apt update
sudo apt upgrade*

nano /etc/mysql/my.cnf
bind-address = SERVER-IP

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
_[mysqld]
ssl
ssl-ca=/etc/mysql/ca_ecdsa.crt.pem
ssl-cert=/etc/mysql/server_ecdsa.crt.pem
ssl-key=/etc/mysql/server_ecdsa.key.pem_

sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
_[mysql]
ssl-ca=/etc/mysql/ca_ecdsa.crt.pem
ssl-cert=/etc/mysql/client_ecdsa.crt.pem
ssl-key=/etc/mysql/client_ecdsa.key.pem
ssl-verify-server-cert=on_

*sudo systemctl restart mysql
mysql -u root -p*
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

Wenn ich in der 50-mysql-clients.cnf die Zertifikate herausnehme kann ich mich anmelden.

sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
_[mysql]
#ssl-ca=/etc/mysql/ca_ecdsa.crt.pem
#ssl-cert=/etc/mysql/client_ecdsa.crt.pem
#ssl-key=/etc/mysql/client_ecdsa.key.pem
ssl-verify-server-cert=on_

*sudo systemctl restart mysql
mysql -u root -p*
/s
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
SHOW VARIABLES LIKE '%ssl%';
_have_openssl | YES
have_ssl | YES
version_ssl_library | OpenSSL 1.1.1c 28 May 2019 _

Ich hoffe mir kann hierbei jemand weiterhelfen.

 Comments   
Comment by Georg Richter [ 2019-10-10 ]

Hi,
can you please provide some more information:

  • exact server version
  • certificate information, e.g. with openssl

openssl x509 -text -noout -in /etc/mysql/server_ecdsa.crt.pem

Generated at Thu Feb 08 08:59:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.