https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38760
--- Comment #4 from Magnus Enger <[email protected]> --- I tried to follow the steps from https://wiki.koha-community.org/wiki/Securing_MariaDB_connections_in_Koha_using_a_separate_database_server. Should the steps under "Enabling TLS" be enough, or do we have to do all of them ("Enabling TLS with server certificate verification" and "Enabling TLS with both server and client certificate verification")? I created the certs* and added the config** in /etc/mysql/mariadb.conf.d/50-ssl.cnf, then restarted the db container: $ docker restart kohadev-db-1 When I log into the db I see this: $ ktd --dbshell MariaDB [koha_kohadev]> SHOW VARIABLES LIKE '%ssl%'; +---------------------+---------------------------------------+ | Variable_name | Value | +---------------------+---------------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /etc/mysql/ssl/certs/ca-cert.pem | | ssl_capath | | | ssl_cert | /etc/mysql/ssl/certs/server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | /etc/mysql/ssl/private/server-key.pem | | version_ssl_library | OpenSSL 1.1.1f 31 Mar 2020 | +---------------------+---------------------------------------+ 10 rows in set (0.000 sec) MariaDB [koha_kohadev]> STATUS; -------------- mysql Ver 15.1 Distrib 10.5.28-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2 Connection id: 10 Current database: koha_kohadev Current user: koha_kohadev@localhost SSL: Not in use Current pager: stdout Using outfile: '' Using delimiter: ; Server: MariaDB Server version: 10.5.28-MariaDB-ubu2004 mariadb.org binary distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8 Conn. characterset: utf8 UNIX socket: /run/mysqld/mysqld.sock Uptime: 1 min 3 sec Threads: 2 Questions: 284 Slow queries: 0 Opens: 294 Open tables: 287 Queries per second avg: 4.507 This looks OK I think? | have_openssl | YES | have_ssl | YES But this looks wrong: SSL: Not in use When i run "sudo koha-mysql kohadev" in the Koha container it connects without problems. Any idea what I am doing wrong? ------------------------------------------------------------------------------------ * = Adding the certs root@8aa3a057cfea:/# mkdir -p /etc/mysql/ssl/{certs,private} root@8aa3a057cfea:/# openssl genrsa 4096 > /etc/mysql/ssl/private/ca-key.pem Generating RSA private key, 4096 bit long modulus (2 primes) ............................................................................................++++ .....................................................................................................................................................................++++ e is 65537 (0x010001) root@8aa3a057cfea:/# openssl req -new -x509 -nodes -days 3650 -key /etc/mysql/ssl/private/ca-key.pem \ > -out /etc/mysql/ssl/certs/ca-cert.pem \ > -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=MariaDB_CA" root@8aa3a057cfea:/# openssl req -newkey rsa:4096 -days 3650 -nodes -keyout /etc/mysql/ssl/private/server-key.pem \ > -out /etc/mysql/ssl/certs/server-req.pem \ > -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=db" Ignoring -days; not generating a certificate Generating a RSA private key ..................................................................................................................................................++++ .................................................................++++ writing new private key to '/etc/mysql/ssl/private/server-key.pem' ----- root@8aa3a057cfea:/# openssl rsa -in /etc/mysql/ssl/private/server-key.pem -out /etc/mysql/ssl/private/server-key.pem writing RSA key root@8aa3a057cfea:/# openssl x509 -req -in /etc/mysql/ssl/certs/server-req.pem -days 3650 \ > -CA /etc/mysql/ssl/certs/ca-cert.pem -CAkey > /etc/mysql/ssl/private/ca-key.pem \ > -set_serial 01 -out /etc/mysql/ssl/certs/server-cert.pem Signature ok subject=C = US, ST = State, L = City, O = Organization, OU = Unit, CN = db Getting CA Private Key root@8aa3a057cfea:/# chown -Rv mysql:root /etc/mysql/ssl/ changed ownership of '/etc/mysql/ssl/private/ca-key.pem' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/private/server-key.pem' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/private' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/certs/server-req.pem' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/certs/ca-cert.pem' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/certs/server-cert.pem' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/certs' from root:root to mysql:root changed ownership of '/etc/mysql/ssl/' from root:root to mysql:root ** Config in /etc/mysql/mariadb.conf.d/50-ssl.cnf root@8aa3a057cfea:/# cat /etc/mysql/mariadb.conf.d/50-ssl.cnf [mariadb] ssl_ca=/etc/mysql/ssl/certs/ca-cert.pem ssl_cert=/etc/mysql/ssl/certs/server-cert.pem ssl_key=/etc/mysql/ssl/private/server-key.pem require_secure_transport = on -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
