MYSQLi and ssl connection to db server

Question

I have some odd problem with establishing ssl connection using php. I have web and database server. On both I have generated certificates through openssl. They are exactly the same.

So I'm trying to connect from webserver using mysql command:

mysql -h 10.1.1.1 -uroot -p
Password
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 71
Server version: 5.5.5-10.1.19-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

So now I want to see if it is really ssl:

mysql> status;
--------------
mysql  Ver 14.14 Distrib 5.6.33, for Linux (x86_64) using  EditLine wrapper

Connection id:          71
Current database:
Current user:           root@10.1.1.2
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.5.5-10.1.19-MariaDB MariaDB Server
Protocol version:       10
Connection:             10.1.1.1 via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:               3306
Uptime:                 1 hour 6 min 51 sec

Threads: 1  Questions: 153  Slow queries: 0  Opens: 21  Flush tables: 1  Open tables: 15  Queries per second avg: 0.038
--------------

mysql>

So I see that connection is established. I wrote some php script to connect to my database:

<?php
ini_set ('error_reporting', E_ALL);
ini_set ('display_errors', '1');
error_reporting (E_ALL|E_STRICT);

$db = mysqli_init();
mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);

$db->ssl_set('/etc/mysql/newcerts/client-key-rsa.pem', '/etc/mysql/newcerts/client-cert.pem', '/etc/mysql/newcerts/ca-cert.pem', NULL, NULL);
$link = mysqli_real_connect ($db, '10.1.1.1', 'root', 'xxxxxx', 'mysql', 3306, NULL, MYSQLI_CLIENT_SSL);
if (!$link)
{
    die ('Connect error (' . mysqli_connect_errno() . '): ' . mysqli_connect_error() . "\n");
} else {
    $res = $db->query('SHOW TABLES;');
    print_r ($res);
    $db->close();
}
?>

But now when i'm running this script on my webserver I'm getting this error:

[root@web-01 config]# php test.php

Warning: mysqli_real_connect(): Unable to locate peer certificate CN in /home/extranet/app/config/test.php on line 10

Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL in /home/extranet/app/config/test.php on line 10

Warning: mysqli_real_connect(): [2002]  (trying to connect via tcp://10.1.1.1:3306) in /home/extranet/app/config/test.php on line 10

Warning: mysqli_real_connect(): (HY000/2002):  in /home/extranet/app/config/test.php on line 10
Connect error (2002):

This is so odd. I've tried mysql_connet() and it works...

Any ideas ??

I'm using PHP 5.6.25

EDIT: Of course I have as well added lines to my webserver .my.cnf file:

[client]
port=3306
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/client-cert.pem
ssl-key=/etc/mysql/newcerts/client-key-rsa.pem

This works fine as well from webserver command line:

mysql -h 10.1.1.1 -u root --password \
    --ssl \
    --ssl-ca /etc/mysql/newcerts/ca-cert.pem \
    --ssl-cert /etc/mysql/newcerts/client-cert.pem \
    --ssl-key /etc/mysql/newcerts/client-key-rsa.pem \

Cert user/group/permissions

[root@web-01 newcerts]# ls -alZ
drwxr-xr-x root root ?                                .
drwxr-xr-x root root ?                                ..
-rw-r--r-- root root ?                                ca-cert.pem
-rw-r--r-- root root ?                                ca-key.pem
-rw-r--r-- root root ?                                client-cert.pem
-rw-r--r-- root root ?                                client-key.pem
-rw-r--r-- root root ?                                client-key-rsa.pem
-rw-r--r-- root root ?                                client-req.pem
-rw-r--r-- root root ?                                server-cert.pem
-rw-r--r-- root root ?                                server-key.pem
-rw-r--r-- root root ?                                server-req.pem

SELinux is disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Answer 1

I also was facing same error I did below tweets and worked for me.

$link = mysqli_real_connect ($db, '10.1.1.1', 'root', 'xxxxxx', 'mysql', 3306, NULL, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT);

Answer 2

Using PHP 7.1 (The server CN name different IP address. I connecting IP address...), this code seem to work:

<?php
ini_set ('error_reporting', E_ALL);
ini_set ('display_errors', '1');
error_reporting (E_ALL|E_STRICT);
$db = mysqli_init();
mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$db->ssl_set('client-key.pem', 'client-cert.pem', 'ca-cert.pem', NULL, NULL);
if (!mysqli_real_connect($db, 'serverip', 'user', 'userpass', 'databbasename', serverportonlynumbernoapostro, NULL, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT))
{
die("Connect Error: " . mysqli_connect_error());
}
?>

In my example: certs folder = PHP file