1

I need to configure SSL for a MySQL server. I've read all of the directions for doing self-signed certs but it's preferred that I sign and use the certs from a different CA running AD Certificate Services. Is this a possibility? I've generated the private key and CSR using openssl on both the mysql server and client (both CentOS). When I try to use the certs I get back from the CA though I get:

"ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)"

I know I have my configs correct because if I do self signed server/client certs using only openssl it works just fine and I can see the Cipher is enabled. Has anybody attempted this that can help me out? I don't know if I just need to change the template settings in AD Cert Services or what... I'm not very familiar with it, I'm mostly a Linux guy. I'm running Percona's version of MySQL 5.6.

Thanks in advance!

user165222
  • 125
  • 3
  • 9
  • Are the common names the same (i.e, does the common name of the CA certificate match the cert you installed?). If so, there's your problem. https://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html – Nathan C Apr 24 '14 at 15:24
  • Nope. The CN is different on all 3 (CA, server, client). – user165222 Apr 24 '14 at 16:22
  • Also, I noticed that if I do a openssl verify using the CA, client and server certs everything checks out as ok... – user165222 Apr 24 '14 at 18:02
  • Is this a local connection (i.e, app is accessing mysql through localhost)? – Nathan C Apr 24 '14 at 18:05
  • Nope, the client is a separate host. – user165222 Apr 24 '14 at 20:02
  • Another thing I'm noticing is that I can set up and openssl server and client (openssl s_server and s_client) using my certs and the connection works just fine. Only with MySQL are there problems. – user165222 Apr 25 '14 at 15:06
  • Is your CA certificate trusted by the host too? – Nathan C Apr 25 '14 at 16:09
  • It is. I recently gave up and just created my own CA with OpenSSL. It isn't preferable but it still gets the job done. – user165222 Apr 28 '14 at 19:38

0 Answers0