我正在尝试配置我的(Docker)mysql 实例(v8.1.0)以使用我的“内部”生成的证书。到目前为止我还无法让它发挥作用。 MySQL 在启动期间抛出 SSL/TLS 异常。
我有两个文件:
certificate_name.cer
certificate_name.key
我的conf文件中有以下内容:
ssl_cert=/certs/certificate_name.cer
ssl_key=/certs/certificate_name.key
require_secure_transport=ON
“/certs”是我在 Docker 中绑定卷挂载的名称。
当我启动 Dockerized mysql 实例时,出现以下错误:
2023-10-26T10:57:22.239715Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2023-10-26T10:57:22.239734Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
2023-10-26T10:57:22.275267Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'
我没有指定
ssl_ca
设置,因为我不知道要设置什么。是否有设置忽略验证 ca?
昨天我正在用
SSL certificates
为 MySQL Server 8.0.35
创建 C# Client
。感谢上帝,我成功做到了。希望对其他人有用。
如何操作的步骤。
D://Certificates
。MySqlCerts.bat
、ca.cnf
、server.cnf
、client.cnf
)。each scripts
复制到4 files
,不要混淆。YOUR_PASSWORD
中的C
、ST
、L
、O
、OU
、scripts
。MySqlCerts.bat
为Administrator
,那么你将获得以下证书:ca-cert.pem
(CA证书)ca-key.pem
(CA 私钥)client-cert.pem
(客户证书)client-key.pem
(客户端私钥)client-req.pem
(删除客户端密码)server-cert.pem
(服务器证书)server-key.pem
(客户端私钥)server-req.pem
(删除客户端密码)client.pfx
(与 .NET 客户端一起使用的证书文件,因为 .NET 不支持 pem 格式)C:\ProgramData\MySQL\MySQL Server 8.0\my.ini
中编辑配置如下:[client] ssl-ca=D:/Certificates/ca-cert.pem ssl-cert=D:/Certificates/client-cert.pem ssl-key=D:/Certificates/client-key.pem [mysqld] ssl-ca=D:/Certificates/ca-cert.pem ssl-cert=D:/Certificates/server-cert.pem ssl-key=D:/Certificates/server-key.pem require_secure_transport=ON
MySQL 8.0 Command Line Client
中打开 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL\MySQL Server 8.0
然后输入错误mysql> restart;
等待 5 秒然后输入错误:
mysql> status;
如果 MySql Server 上启用了 SSL,您将得到如下结果。
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
详情:
-------------- C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe Ver 8.0.35 for Win64 on x86_64 (MySQL Community Server - GPL) Connection id: 8 Current database: Current user: root@localhost SSL: Cipher in use is TLS_AES_256_GCM_SHA384 Using delimiter: ; Server version: 8.0.35 MySQL Community Server - GPL Protocol version: 10 Connection: localhost via TCP/IP Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: cp850 Conn. characterset: cp850 TCP port: 3306 Binary data as: Hexadecimal Uptime: 9 sec Threads: 2 Questions: 4 Slow queries: 0 Opens: 119 Flush tables: 3 Open tables: 38 Queries per second avg: 0.444 --------------
脚本:
MySqlCerts.bat
@ECHO OFF
c:
cd c:\Program Files\OpenSSL-Win64\bin\
echo.
echo #OpenSSL version
openssl version
echo.
echo Create CA PrivateKey (ca-key.pem)
openssl genrsa 2048 > D:\Certificates\ca-key.pem
echo.
echo Create CA Certificate (ca-cert.pem)
openssl req -new -x509 -nodes -days 36500 -key D:\Certificates\ca-key.pem -config D:\Certificates\ca.cnf > D:\Certificates\ca-cert.pem
echo.
echo Create Server PrivateKey (server-key.pem)
openssl req -newkey rsa:2048 -nodes -keyout D:\Certificates\server-key.pem -config D:\Certificates\server.cnf > D:\Certificates\server-req.pem
echo.
echo Remove PassPhrase(server-req.pem)
openssl rsa -in D:\Certificates\server-key.pem -out D:\Certificates\server-key.pem
echo.
echo Create Server Certificate (server-cert.pem)
openssl x509 -req -in D:\Certificates\server-req.pem -days 36500 -CA D:\Certificates\ca-cert.pem -CAkey D:\Certificates\ca-key.pem -set_serial 01 > D:\Certificates\server-cert.pem
echo.
echo Create Client PrivateKey (client-key.pem)
openssl req -newkey rsa:2048 -nodes -keyout D:\Certificates\client-key.pem -config D:\Certificates\client.cnf > D:\Certificates\client-req.pem
echo.
echo Remove PassPhrase (client-req.pem)
openssl rsa -in D:\Certificates\client-key.pem -out D:\Certificates\client-key.pem
echo.
echo Create Client Certificate (client-cert.pem)
openssl x509 -req -in D:\Certificates\client-req.pem -days 36500 -CA D:\Certificates\ca-cert.pem -CAkey D:\Certificates\ca-key.pem -set_serial 01 > D:\Certificates\client-cert.pem
echo.
echo Create Client Certificate (client.pfx for C#)
openssl pkcs12 -export -in D:\Certificates\client-cert.pem -inkey D:\Certificates\client-key.pem -certfile D:\Certificates\ca-cert.pem -password pass:YOUR_PASSWORD -out D:\Certificates\client.pfx
pause
ca.cnf
[req]
distinguished_name=distinguished_name
prompt=no
[distinguished_name]
C=ID
ST=Jawa Timur
L=Ngawi
O=Ctech
OU=Software Engineer
CN=CtechCA
[email protected]
服务器.cnf
[req]
distinguished_name=distinguished_name
attributes=attributes
prompt=no
[distinguished_name]
C=ID
ST=Jawa Timur
L=Ngawi
O=Ctech
OU=Software Engineer
CN=localhost
emailAddress=ct[email protected]
[attributes]
challengePassword=YOUR_PASSWORD
客户端.cnf
[req]
distinguished_name=distinguished_name
attributes=attributes
prompt=no
[distinguished_name]
C=ID
ST=Jawa Timur
L=Ngawi
O=Ctech
OU=Software Engineer
CN=localhost
emailAddress=ct[email protected]
[attributes]
challengePassword=YOUR_PASSWORD