Mysql 5.7 using TLS connections

Tue, 20 Feb 2018 13:33:06 -0800 

Hi, I'm trying to use this plugin 'check_mysql_avs' with a mysql server 
(vdecmdb-as-01.sys.comcast.net) that is using TLS connections.  With newer 
versions of mysql (I'm using Percona 5.7.19-log) there's a setting called 
'require_secure_transport' when set, prevents users to login unless they can 
connect using TLS.  The user I'm testing with nagios@'op5%sys.comcast.net' has 
'require ssl' in its configuration.   I've been trying to get this check 
working (see below).  I think that the certificate files need to be on the OP5 
servers for it to work.  Is there a way to register them with the OP5 servers?  
The mysql server does have the certificate registered.

Here's something that is odd and you'll find blogs on this out there that 
discuss this (see link 
https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/).  I can 
connect from another host with this command without providing the certificate 
information and a connection will be created and will be encrypted. I'm 
wondering if you were to update the mysql client software on the OP5 servers 
that might solve the issue?  I'm guessing that the script is written in Perl or 
Python so perhaps updating those RPM(s) may solve it too?  I'd be willing to 
test with you if you'd like.
-sh-4.2$ hostname
vdecmdbwst-ho-a2p.sys.comcast.net
-sh-4.2$ mysql -h vdecmdb-as-01.sys.comcast.net -u nagios -pN3gi0spswd\)

OP5 check definition
nagios!N3gi0spswd\)!streamer -l --ca-cert=/db/data/CA_NSO_2010.crt 
--cert=/db/data/vde_cmdb_east.crt --key=/db/data/vde_cmdb_east.key

output
  on
_USER1_/check_mysql -H 10.146.0.137 -u nagios -p N3gi0spswd\) -d streamer -l 
--ca-cert=/db/data/CA_NSO_2010.crt --cert=/db/data/vde_cmdb_east.crt 
--key=/db/data/vde_cmdb_east.key
Result code: CRITICAL
SSL connection error

Mysql server
mysql> show global variables like "%ssl%";
+---------------+----------------------------+
| Variable_name | Value                      |
+---------------+----------------------------+
| have_openssl  | YES                        |
| have_ssl      | YES                        |
| ssl_ca        | /db/data/CA_NSO_2010.crt   |
| ssl_capath    |                            |
| ssl_cert      | /db/data/vde_cmdb_east.crt |
| ssl_cipher    |                            |
| ssl_crl       |                            |
| ssl_crlpath   |                            |
| ssl_key       | /db/data/vde_cmdb_east.key |
+---------------+----------------------------+
9 rows in set (0.00 sec)

Grant Edmunds
MySQL DBA
CVPI - Core Video Platform Integration
303 712-3239
grant_edmu...@comcast.com

Reply via email to