[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
[Expired for mysql-8.0 (Ubuntu) because there has been no activity for 60 days.] ** Changed in: mysql-8.0 (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
Same issue with mysql-server 8.0.21-1 on groovy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
Hi Jean-Christophe, Sorry for this back and forth, I tried again to reproduce what you mentioned but with a self-signed CA (like Rafael did in the first comment) and it worked like a charm. Before you saying this is not the same scenario you are facing, as far as I can see you are reporting a problem when setting the ssl parameters (if the logs are saying "CA certificate ca.pem is self signed" is because it is likely not reading the files from your Let's Encrypt directory). In this case it does not matter if it's a private or public CA. If you can confirm it is reading your Let's Encrypt files and it is reporting that the certificate is self signed share the logs and config files here and it will likely be an upstream issue. You might be tired of us asking for reproduction steps but there is no way around that, we can't reproduce your problem. Try to add as much details as you can, for instance, create a new container/VM of Ubutu Focal/Groovy, install mysql-server, run command X, edit these files adding these content, restart mysql service and so on. I am marking this bug again as Incomplete, when you have more input for us please change the status back to New. ** Changed in: mysql-8.0 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
Sorry: I have inadvertently tested with a port matching another service (853 instead of 3306), so my previous post must be ignored. This issue is still there, even on groovy. Let me answer your questions again: 0) with a service answering correctly to TLS connections requests, we get with a wildcard server certificate: ... SSL_connect:SSLv3/TLS write finished --- Certificate chain 0 s:CN = *.domain i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -BEGIN CERTIFICATE- As my first post shows, there is an initial error in the connection preventing openssl to show the CA used or the server certificate: ... SSL_connect:error in error 139858538362176:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: --- no peer certificate available --- 1) The full SSL configuration (besides the 3 parameters already described in my first post) also includes the following parameters which are IMHO not relevant because his issue still happens if I remove them: ssl-cipher=... tls-version=... require_secure_transport=ON 2) You don't seem to understand this issue. The client don't need special configuration, other than at least one matching cipher and required TLS version if they are specified on the server side. 3)I have already tried that: same issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
** Changed in: mysql-8.0 (Ubuntu) Status: Fix Released => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
1. already shared in my first post 2. You don't seem to understand this issue. Not a problem, because in the meantime, I have upgraded to groovy with: mysql-server-8.0: Installed: 8.0.21-0ubuntu4 Now I get: ... SSL_connect:SSLv3/TLS write finished --- Certificate chain 0 s:CN = *.domain i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -BEGIN CERTIFICATE- This issue has been solved on groovy. FYI, the systemd service continues to show an incorrect warning: [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed ** Changed in: mysql-8.0 (Ubuntu) Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
Hi, I'd say that the problem is with mysqld using a different CA certificate from the one specified by the ssl-ca option. I doubt it's the letsencrypt certificate the one being used, correct me if I'm wrong (y can check with e.g. `openssl c_client`). Could you please: 1. share the ssl config snippet from mysql.cnf? 2. confirm that you don't need the client part to reproduce the problem, as the "CA is self-signed" message is a mysqld log message that is printed before any connection attempt? This is mostly to verify that I correctly understood the problem. 3. Set ssl-capath to /etc/ssl/lets_encrypt/ and see if it behaves differently? Please change the report status back to New after commenting back. Thanks! ** Changed in: mysql-8.0 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
I suggest you try to configure your mysql-server with SSL parameters using a public CA, since this is the use case of this issue. ** Changed in: mysql-8.0 (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
I changed the title to better reflect the core issue of this thread. ** Summary changed: - mysql-server does not take into account configured ssl parameters + Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs