I get connected without issue if I disable require_secure_transport
But if it remains enabled on the server and I include these entries:
ssl_ca: /dsb/mysql/etc/certs/ca.pem
ssl_cert: /dsb/mysql/etc/certs/server-cert.pem
and attempt to connect I get:
unable to connect to database, check login_user and login_password are correct or /home/mysql/.my.cnf has the credentials. Exception message: [SSL] PEM lib (_ssl.c:3938)
we know the user/password is correct.
so the assumption is it is rejecting or not using our ca and key. Could this be because the ca is self-signed.
We are running version 1.0.0.
if not due to self signed, is there a way to find the error 3938 to understand the error in more detail?
This is a guess but a socket is usually used by default these days rather than TCP/IP, is this working without the SSL settings and then failing when they are added as the service isn’t available using TCP/IP and SSL won’t be used by a socket?
Thanks for your thoughts. I’ve inherited a library of ansible files that are in a broken state and trying to resurect them.
Meanwhile, in theory, there’s no reason an ssh session to the host using ssl should be needed. This is a standard mysql call on port 3306 using tcp/ip. So I would expect the ca.pem and server_cert.pem would be sufficient to make the connection. That also is confirmed to work with the mysql client.
So I went ahead and updated community.mysql so I could use check_hostname: Then I tried using the server_key.pm in conjunction with check_hostname: false and that works.
For now this solves my issue but I 'd much rather not have to use an ssh session and then communicate via the socket to mysql.
Clearly the error is indicating it’s unhappy with the pem file for some reason and I’d love to understand what that is.