MySQL and SSL connection failing ERROR 2026 (HY000

2020-05-27 02:41发布

问题:

I have a wildcard cert issued from rapidssl, using CN=*.mydomain.com. I have a web server and a mysql db server. The certs are working fine for web site access. Now I want to enable ssl for my app to mysql. I've enabled ssl in the mysql server without issue:

+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | YES                             |
| have_ssl      | YES                             |

However, when I try to connect using the client/ssl, I get: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

This appears to be documented here: http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

It says I can't use the same CN for the certs. I don't understand how a wildcard cert can be used then. Does that mean I also have to purchase host specific certs just for the mysql connection?

I don't work with SSL very much so I'm finding it difficult figuring out how this is supposed to be set up. Any pointers, even obvious ones, will likely help at this stage.

Running: mysql Ver 15.1 Distrib 5.5.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.1 ubuntu 12.04

回答1:

Make sure to use an absolute path to the ca-cert given for the --ssl-ca option.

Relative paths, or shell expansions (like ~) won't work and will produce ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.

This isn't documented anywhere that I can see in the mysql man page, or in the SSL Command Options of the MySQL Manual (http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-options.html).



回答2:

I have a similar issue, apparently from what i have read all the binary (precompiled) versions of MySQL Community Edition (maybe the same applies to MariaDB), comes bundled with yaSSL not openSSL existing some limitations and restrictions from that library. According to the manual of mysql (https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)

" yaSSL does not look in any directory and does not follow a chained certificate tree.yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option".

If you want to check if your MySQL instalation uses yaSSL or openSSL you can follow the steps in this forum (http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-uses-yassl-or-openssl/). It tells to see the status variable ‘ Rsa_public_key’ with ‘show status like ‘%rsa%’ if your MySQL installation comes with yaSSL the results must be empty because no such variable exists in distributions with yaSSL.

Other possible cause is that the hostname on your server doesn't match with the subject of the server certificate (argument of the --ssl-cert parameter) for that compare the output of the command

shell> hostname

with the DNS subject in the server certificate, you could get it using the next command (look the part where it says "X509v3 Subject Alternative Name:"):

shell> openssl x509 -in "your-server-certificate" -noout -text

If none of this work you could see the next page http://milcom.us/2012/11/02/encrypted-mysql-connections/

PS: English is not my native language, sorry for any grammatical error



回答3:

I was having the following error:

[root@example ~]$ mysql
ERROR 2026 (HY000): SSL connection error

FIX that worked for me: Server and client "Common Name" in certificates must be different than CA's. After changing the CNs the error stopped; I verified the connection status:

mysql> status;
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...

Source:

"Important Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL."

http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html

PS: I'm not using wildcard certificates and/or a third party CA, I'm creating my own signed certificates, which works OK for me: http://angelcool.net/sphpblog/comments.php?y=14&m=05&entry=entry140511-164525



回答4:

MySQL doesn't work with wildcard certificates. There are a number of difficiencies with MySQL and SSL.

See my post on Getting MySQL server to run with SSL (and also the post that I refer to therein).



回答5:

I connect from CentOS-7 version ojf 5.6.29-76.2-log Percona Server and Client to CentOS-6 (Server version: 5.6.23-72.1-log Source distribution Percona), also get this issue.

Add the option will fix it:

--ssl-cipher=AES128-SHA

maybe anther ssl-cipher will also fixed.



标签: mysql ssl