dcts dcts - 5 months ago 20
SQL Question

MySQL SSL Remote Connection Error: Unable to get Private Key

I am attempting to write a PHP script (hosted on a VPS with GoDaddy) that connects to a remote MySQL database (hosted on an Amazon EC2 instance) using SSL.

I generated some certs (as per http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html) and configured my.cnf on the remote/server database like so:

[mysqld]
ssl-ca =/etc/mysql/ca-cert.pem
ssl-cert =/etc/mysql/server-cert.pem
ssl-key =/etc/mysql/server-key.pem

[client]
ssl-ca =/etc/mysql/ca-cert.pem
ssl-cert =/etc/mysql/client-cert.pem
ssl-key =/etc/mysql/client-key.pem


The configuration is working on the remote/server side (that is, a php script running locally to the remote database is able to establish a connection using the generated SSL certs).

However, while I can make an unsecured connection between the PHP script hosted on the VPS and the remote database, I get an error when I try to establish an SSL connection between the same two systems.

If I attempt to connect to the remote database via the command line using:

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem –u ssluser –p


I get the error:

ERROR 2026 (HY000): SSL connection error: Unable to get private key


I get the same error when I attempt to connect to the server via the php script using:

<?php
$link = mysqli_init();

$key = '/home/userName/etc/mysql/certs/client-key.pem' ;
$cert = '/home/userName/etc/mysql/certs/client-cert.pem';
$ca = '/home/userName/etc/mysql/certs/ca-cert.pem';
$capath = NULL;
$cipher = NULL;

mysqli_ssl_set ( $link , $key , $cert , $ca , $capath , $cipher );
mysqli_real_connect ($link, $host, $user, $pass, $schema, 3306, NULL, MYSQLI_CLIENT_SSL);
?>


results in the error:

(HY000/2026): SSL connection error: Unable to get private key


I have already attempted a fix as per (forums.mysql.com/read.php?11,400856,401127), but making this change results in a "Segmentation fault".

Is there a step that I've missed? What am I doing wrong?

Thank you.

RESOLVED:

removed the client-key.pem passphrase using

openssl rsa -in client-key.pem -out client_key2.pem


as per the instructions at this website:

http://www.defcon1.org/html/postfix1.html

I changed

$key = '/home/userName/etc/mysql/certs/client-key2.pem' ;


and

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key2.pem –u ssluser –p


but not

[client]
ssl-key =/etc/mysql/client-key.pem

Answer

RESOLVED:

removed the client-key.pem passphrase using

openssl rsa -in client-key.pem -out client-key2.pem

as per the instructions at this website.

I changed

$key   = '/home/userName/etc/mysql/certs/client-key2.pem' ; 

and

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key2.pem –u ssluser –p

but not

[client]
ssl-key     =/etc/mysql/client-key.pem
Comments