Related
Question
Question
Question
Cannot set up SSL for MySQL using only DO-provided CA certificate
I’m having a lot of trouble successfully setting up connections to the MySQL managed databases, and finding the usually very informative DO documentation and tutorials lacking in details.
The documentation notes that SSL connections are required to connect, and that you will need the provided CA certificate, a client certificate, and a client key to successfully establish SSL connections.
Via CLI
I’m able to remotely connect via CLI, and conduct all database options, import dumpfiles, drop databases, etc., without setting up any SSL settings. The connection string works whether or not I specify ssl-mode=required and without any reference to the certificate and keys which are supposed to be necessary.
Via Django
However, when trying to set up an existing Django project to connect to the managed database the connection is completely unsuccessful. The error message always indicates that it is unable to successfully establish an SSL connection - different from the CLI results.
Various sources have indicated how you can reference the necessary CA certificate, client certificate and client key to connect.
The cluster interface allows you to download the appropriate CA certificate only.
For generating the client certificate and key, DO’s documentation just points us to MySQL’s own docs for how to do this.
MySQL’s documentation (and a number of tutorials available on the web) all note that there are (2) methods possible:
- use the mysqlsslrsa_setup utility, which only requires the CA certificate but which results in self-signed client certificates and keys, or
- use openssl, which can generate client certificates signed with the CA certificate that the server is referencing, but only if you also have the server certificate and server key.
If I try to connect using the self-signed client certificates and keys, my connection is rejected and the cluster log references that they were self-signed, suggesting that you can’t use self-signed certificate and keys.
The alternate approach (openssl) is not available to me, as I don’t have access to the server’s certificate and key. DO’s own tutorial on doing so (for MySQL in general, not the managed databases) requires you to ssh into the server, which is not an option for the managed databases.
Any thoughts on how to proceed? I can set up a PostgreSQL managed database successfully, and connect immediately without any problems, but I would rather not go through the tedious process of converting a large number MySQL databases to PostgreSQL.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
I’m hitting this issue as well, but with setting up a custom pgbouncer server against a managed postgres instance (needs custom settings that the default DO pgbouncer pools don’t offer). Using openssl, I need both the cert and the key in order to generate a certificate that will be accepted.