I've been trying to move from using a self-signed certificate to using a wildcard certificate from a well-known CA to reduce maintenance overhead and improve security. The certificate has already been in use for months on test servers. The setup is working well enough that I can do the following (domain name anonymised):
mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl This connects successfully after providing the password. However, when I try to actually verify the certificate Common Name it fails:
$ mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl --ssl-verify-server-cert ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure After compiling MariaDB 5.5 using cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSL=yes and running the client with --debug I get the following trace log (trimmed):
mysql_real_connect: info: Connecting mysql_real_connect: info: net->vio: 0x0 protocol: 0 mysql_real_connect: info: Server name: 'host.example-dot-com-equivalent-for.co.uk'. TCP sock: 3306 mysql_real_connect: info: IP 'client' mysql_real_connect: info: IPV6 getaddrinfo host.example-dot-com-equivalent-for.co.uk mysql_real_connect: info: Try connect on all addresses for host. mysql_real_connect: info: Create socket, family: 2 type: 1 proto: 6 mysql_real_connect: info: Connect socket mysql_real_connect: info: End of connect attempts, sock: 4 status: 0 error: 0 mysql_real_connect: info: net->vio: 0x263c540 mysql_real_connect: info: Read first packet. mysql_real_connect: info: mysql protocol version 10, server=10 get_charsets_dir: info: charsets dir: '/usr/local/mysql/share/charsets/' my_stat: error: Got errno: 2 from stat run_plugin_auth: info: using plugin mysql_native_password native_password_auth_client: info: no password native_password_auth_client: info: IO layer change in progress... ssl_do: info: ssl: 0x2823e50 timeout: 0 ssl_do: info: SSL connection succeeded ssl_do: info: Using cipher: 'AES256-GCM-SHA384' ssl_do: info: Peer certificate: ssl_do: info: subject: '/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.example-dot-com-equivalent-for.co.uk' ssl_do: info: issuer: '/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2' ssl_do: info: no shared ciphers! native_password_auth_client: info: IO layer change done! ssl_verify_server_cert: info: Server hostname in cert: *.example-dot-com-equivalent-for.co.uk run_plugin_auth: info: authenticate_user returned CR_ERROR run_plugin_auth: info: res=0 mysql_real_connect: error: message: 2026/HY000 (SSL connection error: SSL certificate validation failure) end_server: info: Net: main: info: Shutting down: infoflag: 3 print_info: 1 Note specifically that the Server name value matches the CN value.
The certificate is valid for the given hostname and is not expired, as verified by openssl s_client -connect host.example-dot-com-equivalent-for.co.uk:443 -verify_return_error < /dev/null. The "X509v3 Subject Alternative Name" field contains "DNS:*.example-dot-com-equivalent-for.co.uk, DNS:example-dot-com-equivalent-for.co.uk"
The whole certificate chain is in the file pointed to by the server's ssl-cert configuration, as recommended elsewhere. "USERTrust RSA Certification Authority" is in the client's /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt. I tried adding --ssl-ca=/etc/pki/tls/certs/ca-bundle.crt to the command, but that didn't change anything.
The question ends up being: Do MySQL/MariaDB clients support wildcard certificates? If they do, is something wrong with my connection?
Original client:
$ mysql --version mysql Ver 15.1 Distrib 10.1.21-MariaDB, for Linux (x86_64) using readline 5.1 Debug client:
$ ./client/mysql --version ./client/mysql Ver 15.1 Distrib 5.5.56-MariaDB, for Linux (x86_64) using readline 5.1 Server:
# rpm -q mariadb mariadb-5.5.52-1.el7.x86_64 Posted to unix.SE rather than dba.SE because the problem may well be with the SSL libraries rather than the client.
