I have a wildcard cert issued from rapidssl, using CN=*.mydomain.com. I have a trang web server and a mysql db server. The certs are working fine for trang web site access. Now I want to tát enable ssl for my phầm mềm to tát mysql. I've enabled ssl in the mysql server without issue:

+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | YES                             |
| have_ssl      | YES                             |

However, when I try to tát connect using the client/ssl, I get: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

This appears to tát be documented here: http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

It says I can't use the same công nhân for the certs. I don't understand how a wildcard cert can be used then. Does that mean I also have to tát purchase host specific certs just for the mysql connection?

I don't work with SSL very much so sánh I'm finding it difficult figuring out how this is supposed to tát be mix up. Any pointers, even obvious ones, will likely help at this stage.

Running: mysql Ver 15.1 Distrib 5.5.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.1 ubuntu 12.04

asked Dec 8, 2013 at 21:04

1

Make sure to tát use an absolute path to tát the ca-cert given for the --ssl-ca option.

Relative paths, or shell expansions (like ~) won't work and will produce ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.

This isn't documented anywhere that I can see in the mysql man page, or in the SSL Command Options of the MySQL Manual (http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-options.html).

answered Jun 22, năm 2016 at 17:14

3

I have a similar issue, apparently from what i have read all the binary (precompiled) versions of MySQL Community Edition (maybe the same applies to tát MariaDB), comes bundled with yaSSL not openSSL existing some limitations and restrictions from that library. According to tát the manual of mysql (https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)

" yaSSL does not look in any directory and does not follow a chained certificate tree.yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the tệp tin has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new tệp tin and specify that tệp tin as the value of the --ssl-ca option".

If you want to tát kiểm tra if your MySQL instalation uses yaSSL or openSSL you can follow the steps in this diễn đàn (http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-uses-yassl-or-openssl/). It tells to tát see the status variable ‘ Rsa_public_key’ with ‘show status lượt thích ‘%rsa%’ if your MySQL installation comes with yaSSL the results must be empty because no such variable exists in distributions with yaSSL.

Other possible cause is that the hostname on your server doesn't match with the subject of the server certificate (argument of the --ssl-cert parameter) for that compare the output of the command

shell> hostname

with the DNS subject in the server certificate, you could get it using the next command (look the part where it says "X509v3 Subject Alternative Name:"):

shell> openssl x509 -in "your-server-certificate" -noout -text

If none of this work you could see the next page http://milcom.us/2012/11/02/encrypted-mysql-connections/

PS: English is not my native language, sorry for any grammatical error

Jan Bodnar

11.6k6 gold badges70 silver badges82 bronze badges

answered Mar 6, năm trước at 15:12

2

I was having the following error:

[root@example ~]$ mysql
ERROR 2026 (HY000): SSL connection error

FIX that worked for me: Server and client "Common Name" in certificates must be different kêu ca CA's. After changing the CNs the error stopped; I verified the connection status:

mysql> status;
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...

Source:

"Important Whatever method you use to tát generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL."

http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html

PS: I'm not using wildcard certificates and/or a third tiệc ngọt CA, I'm creating my own signed certificates, which works OK for me: http://angelcool.net/sphpblog/comments.php?y=14&m=05&entry=entry140511-164525

answered May 12, năm trước at 1:05

MySQL doesn't work with wildcard certificates. There are a number of difficiencies with MySQL and SSL.

See my post on Getting MySQL server to tát lập cập with SSL (and also the post that I refer to tát therein).

answered May 12, năm trước at 1:48

I connect from CentOS-7 version ojf 5.6.29-76.2-log Percona Server and Client to CentOS-6 (Server version: 5.6.23-72.1-log Source distribution Percona), also get this issue.

Add the option will fix it:

--ssl-cipher=AES128-SHA

maybe anther ssl-cipher will also fixed.

answered Mar 21, năm 2016 at 2:13

3