Related

Product Now Available: Managed MySQL Databases Product
Managed MySQL, Redis, Postgres on DigitalOcean Product
Why are snapshots so slow Question Question
Connect to DB installed into dedicated VPS (private networking) Question Question

Question

SSL Client key & certificate for managed MySql database

Posted January 5, 2020 1.5k views
MySQLSecurityDigitalOceanDatabases

Various tutorials state 3 files are needed to connect a MySQL client over SSL:

  • CA certificate
  • Client certificate
  • Client key

(for example in: https://www.digitalocean.com/community/tutorials/how-to-configure-ssl-tls-for-mysql-on-ubuntu-18-04)

In the overview of my DigitalOcean managed database I’m able to download the CA certificate. Do I need the other two files as well?

My problem: on my Mac I’m able to connect over SSL using Table Plus. However on Windows I always get a SSL invalid error (in both Table Plus and MySQL Workbench)

What can I do to connect on Windows? Thanks!

Add a comment
bart8769261ebbd5ac990ff3e2
By:
bart8769261ebbd5ac990ff3e2
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
4 answers
alexdo January 7, 2020

Hello, @bart8769261ebbd5ac990ff3e2

The server’s certificate and key pair are enough to provide encryption for incoming connections. You need to have the ssl key and certificate in order to connect to the database.

However, you aren’t yet fully leveraging the trust relationship that a certificate authority can provide. By distributing the CA certificate to clients — as well as the client certificate and key — both parties can provide proof that their certificates were signed by a mutually trusted certificate authority. This can help prevent spoofed connections from malicious servers.

In order to implement this extra, optional safeguard, we will transfer the appropriate SSL files to the client machine, create a client configuration file, and alter the remote MySQL user to require a trusted certificate.

In MySQL Workbench you can import the SSL files in the SSL Configuration - Setting SSL tab and simply upload the SSL KEY, SSL CERT and the SSL CA CERT files.

Let me know how it goes.

Regards,
Alex

Reply Report
jgutierrezCoral May 6, 2020

Hi @bart8769261ebbd5ac990ff3e2 did you find a solution for this issue? We are having exactly the same problem.

Reply Report
  • bart8769261ebbd5ac990ff3e2 May 20, 2020

    We did not solve this specific problem, however we did find a work-around, or even a better solution :)

    We are using a SSH tunnel to connect securely to the DO database server. You basically connect to one of your droplets using SSH, and then login to the database using the private network login credentials. This also worked with TablePlus on Windows.

    We use one of our development droplets for this. Also, this allowed us to disable the external access to the DO database completely. Plus you can than easily use a VPN service without adding your new IP address to the DO whitelist.

    Reply Report
mpaccione1991 May 14, 2020

Same problem as well… nowhere does it say where the SSL Key or SSL Cert is. Only the CA Cert is available for download.

The managed database is seperate of the droplet afaik. This is really lacking in directions and help in the UI.

Reply Report
olajonathanaina June 23, 2020

Hello, I am having the same issue here, I need to connect via google jdbc and it’s requesting for client key and client certificate. Where do we get these from, please? The UI is not helpful at all.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help