Question

Cannot set up SSL for MySQL using only DO-provided CA certificate

I’m having a lot of trouble successfully setting up connections to the MySQL managed databases, and finding the usually very informative DO documentation and tutorials lacking in details.

The documentation notes that SSL connections are required to connect, and that you will need the provided CA certificate, a client certificate, and a client key to successfully establish SSL connections.

Via CLI

I’m able to remotely connect via CLI, and conduct all database options, import dumpfiles, drop databases, etc., without setting up any SSL settings. The connection string works whether or not I specify ssl-mode=required and without any reference to the certificate and keys which are supposed to be necessary.

Via Django

However, when trying to set up an existing Django project to connect to the managed database the connection is completely unsuccessful. The error message always indicates that it is unable to successfully establish an SSL connection - different from the CLI results.

Various sources have indicated how you can reference the necessary CA certificate, client certificate and client key to connect.

The cluster interface allows you to download the appropriate CA certificate only.

For generating the client certificate and key, DO’s documentation just points us to MySQL’s own docs for how to do this.

MySQL’s documentation (and a number of tutorials available on the web) all note that there are (2) methods possible:

  • use the mysql_ssl_rsa_setup utility, which only requires the CA certificate but which results in self-signed client certificates and keys, or
  • use openssl, which can generate client certificates signed with the CA certificate that the server is referencing, but only if you also have the server certificate and server key.

If I try to connect using the self-signed client certificates and keys, my connection is rejected and the cluster log references that they were self-signed, suggesting that you can’t use self-signed certificate and keys.

The alternate approach (openssl) is not available to me, as I don’t have access to the server’s certificate and key. DO’s own tutorial on doing so (for MySQL in general, not the managed databases) requires you to ssh into the server, which is not an option for the managed databases.

Any thoughts on how to proceed? I can set up a PostgreSQL managed database successfully, and connect immediately without any problems, but I would rather not go through the tedious process of converting a large number MySQL databases to PostgreSQL.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

DigitalOcean gave me a clear answer on this problem whilst trying to get client certificates generated to connect Google Data Studio to thier managed MySQL:

“At the moment we only support MySQL 8 and It is not compatible with Google Data Studio.”

It’s unclear when or how they will support this.

Andre

This comment has been deleted