mysql --ssl-verify-server-cert=true is returning "SSL certificate validation failure"

Question

By trying to setup Mysql over SSL on RHEL6 I'm facing an error any time I ask mysql client to verify the self-signed certs :

mysql --ssl-ca=/tmp/newcerts/ca.pem \
 --ssl-cert=/tmp/newcerts/client-cert.pem \
 --ssl-key=/tmp/newcerts/client-key.pem \
 -h IP.IP.IP.IP -u USER -p \
 --ssl-verify-server-cert=true

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

In the case where I set --ssl-verify-server-cert=false mysql does not verify the self-signed certs and start the secure connexion.

I've used the Mysql HowTo article to create my self-signed certificate : https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html and the openssl verify command is returning :

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

server-cert.pem: OK
client-cert.pem: OK

The ca.pem & client-cert.pem & server-cert.pem have been created with a different Common Name as Node1 for ca.pem, Node2 for client-cert.pem, Node3 for server-cert.pem

Param loaded into Mysql during startup :

ssl-ca=/tmp/newcerts/ca.pem
ssl-cert=/tmp/newcerts/server-cert.pem
ssl-key=/tmp/newcerts/server-key.pem

Then I've added the ca.pem to the server by following those steps for RHEL6 :

update-ca-trust force-enable
cp /tmp/newcerts/ca.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

I'm guessing with a proper cert verified by a trusted third party I should not have this error but I need to verify that it work with a self-signed cert.

I running out of idea to get this working. Does someone already faced a similar issue?

Answer 1

In my case (and for a self-signed certificate) the solution was :

• No need to add ca.pem to the trusted root certificates
• Need to set the CN of the server-cert.pem as the mysqlserverhostname
• Make sure to resolve mysqlserverhostname from your client
• Replace -h IP.IP.IP.IP -u USER -p by -h mysqlserverhostname -u USER -p

My error was to follow the Mysql doc instructions where the quote "To generate test files, you can press Enter to all prompts" seems incorrect where I had to set the CN of the server-cert.pem as the mysqlserverhostname to resolve the issue.