使用this guide我试图建立MariaDB的(MySQL的)使用DBSERVER和appclient之间SSL。MariaDB的通过SSL不工作, “证书验证失败”
我按照指南在服务器上创建了服务器和客户端证书。然后我复制了三个必要的客户端文件,以appclient并设置所有权和权限:
[[email protected] mysql]# ll /etc/pki/tls/certs/
drwxr-xr-x. 2 mysql mysql 88 Feb 9 13:31 mysql
[[email protected] mysql]# ll /etc/pki/tls/certs/mysql/
-rw-------. 1 mysql mysql 1372 Feb 9 13:31 ca-cert.pem
-rw-------. 1 mysql mysql 1230 Feb 9 14:16 client-cert.pem
-rw-------. 1 mysql mysql 1705 Feb 9 14:16 client-key.pem
这里有appclient完整的my.cnf:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
[client]
ssl-ca=/etc/pki/tls/certs/mysql/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/mysql/client-cert.pem
ssl-key=/etc/pki/tls/certs/mysql/client-key.pem
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
!includedir /etc/my.cnf.d
接下来,我测试了一下3306端口是开放的在DBSERVER:
[[email protected] mysql]# telnet dbserver 3306
Connected to dbserver.
Escape character is '^]'.
R
5.5.52-MariaDB
接下来我查了MariaDB的(MySQL的)SSL变量DBSERVER:
MariaDB [(none)]> show variables like '%ssl%';
+---------------+------------------------------------------+
| Variable_name | Value |
+---------------+------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/pki/tls/certs/mysql/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/pki/tls/certs/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/pki/tls/certs/mysql/server-key.pem |
+---------------+------------------------------------------+
接下来我查了appclient MariaDB的(MySQL的)SSL变量:
MariaDB [(none)]> show variables LIKE '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
看起来像问题的开始/源。
如果我尝试从appclient反正连接到DBSERVER:
[[email protected] mysql]# mysql -h dbserver -u ssluser -p
Enter password:
ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
没有布埃诺。
检查appclient的证书与OpenSSL的...
[[email protected] mysql]# cd /etc/pki/tls/certs/mysql/
[[email protected] mysql]# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
Error opening certificate file server-cert.pem
139864320337824:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server-cert.pem','r')
139864320337824:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
client-cert.pem: OK
踢,我跑了相同的OpenSSL测试上DBSERVER:
[[email protected] mysql]# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: C = XX, ST = XX, L = CityName, O = MyOrganization, OU = MyGroup, CN = dbserver
error 18 at 0 depth lookup:self signed certificate
OK
client-cert.pem: OK
教程只提到复制ca-cert.pem
,client-cert.pem
和client-key.pem
给客户端,但上面的失败指向客户端上丢失的server-cert.pem
。
我是否需要在客户端上创建服务器 - *。pem文件?如果是这样,那么这些文件会在/etc/my.cnf
文件中出现在哪里?
这是一个自签名证书吗?由于openssl告诉你证书验证失败,这表明你用来签署证书的权限应该被添加到你正在运行的操作系统上。我不知道是否有一个标志禁止验证证书,但也许有一些Google在这方面可以帮助? –
它是自签名的。所有证书都是在每个文档的dbserver上生成的。请注意,openssl由于缺少'server-cert.pem'而未能通过测试,本教程未对其进行描述或解决。这是我坚持的部分。 –
'cat server-cert.pem client-cert.pem> ca.pem'取得了一些进展,然后更新appclient的my.cnf以使用'ssl-ca = ca.pem'。而不是SSL错误,我得到一个身份验证错误。 –