MySQL Forums
Forum List  »  Security

client auth with lets encrypt certs
Posted by: rob thijssen
Date: August 14, 2023 07:04AM

i run ops for a few dev teams. because our servers must be publicly accessible and because they are under constant exploit attempts, we prefer to use strong (elyptic curve) tls client and server auth with real (rather than self-signed) certs, which regularly expire and are renewed, for db connections and for replication between source and replicas.

mongodb support for this use case is pretty straightforward and our mongo servers have always been configured this way.

postgresql support seems like an afterthought but is doable with a fair bit of configuration tinkering. we've had this working for a few months.

i've spent a week trying to coerce mysql to work this way and so far, no joy.

i did discover:
- ca.pem needs to contain all intermediaries (everything in le's fullchain.pem + dst-root-x3, something le doesn't make it easy for you to find, but we'd already jumped through those hoops for our other infra)
- cert.pem and privkey.pem need nothing added or removed.

starting the mysql service with the following config works:
```
[mysqld]
require_secure_transport=ON
ssl_ca=/var/lib/mysql/lets-encrypt-ca.pem
ssl_cert=/var/lib/mysql/lets-encrypt-cert.pem
ssl_key=/var/lib/mysql/lets-encrypt-key.pem
#ssl_cipher=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls_version=TLSv1.3
```
client users are created like so:
```
CREATE USER 'foo'@'abc.example.com' REQUIRE SUBJECT 'CN=abc.example.com' AND ISSUER 'C=US,O=Let\'s Encrypt,CN=R3';
```
i've also tried:
```
CREATE USER 'foo'@'%' REQUIRE SUBJECT 'CN=abc.example.com' AND ISSUER 'C=US,O=Let\'s Encrypt,CN=R3';
```
however no clients are able to authenticate (clients also have le certs) and an error is shown client-side which reads:
access denied for user 'foo'@'ip address' (using password: no)

server-side the error log shows:
```
[Warning] [MY-010055] [Server] IP address 'ip address' could not be resolved: Name or service not known
```

some research suggested that the ssl_cipher should be set, but uncommenting that line in the .cnf file causes the server to ignore all ssl settings and run without ssl.

any example of a working client and server tls auth implementation that uses a real cert rather than a self signed one, would be greatly appreciated.

Options: ReplyQuote


Subject
Views
Written By
Posted
client auth with lets encrypt certs
327
August 14, 2023 07:04AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.