我在 Ubuntu 20.4 VPN 服务器上安装了 Letsencrypt SSL 证书,它可以正常工作。现在,我正在尝试在此服务器上为 SSL 配置 mysql。我阅读了许多处理同一问题的相关文章,并花了很多时间修复它,但没有成功。
这些是我执行的步骤:
我将文件 cert.pem、chain.pem、fullchain.pem 和 privkey.pem 复制到 /var/lib/mysql。这些文件与我用于域的 SSL 配置的文件相同。
mysql 中的配置不清楚。我尝试了 [mysql] 和 [mysqld] 中的不同组合。我预期正确的那个没有起作用:
ssl_ca=/var/lib/mysql/cert.pem,,ssl_cert=/var/lib/mysql/chain.pemssl_key=/var/lib/mysql/privkey.pem只有此配置才能正常工作且不会抛出错误。注意:fullchain.pem 包含来自 cert.pem 和 chain.pem 的证书。在 /etc/mysql/mysql.conf.d 中:
[mysqld] ssl_cert=/var/lib/mysql/fullchain.pem ssl_key=/var/lib/mysql/privkey.pem
我可以从我的服务器本地连接到 mysql,并且在检查 ssl 属性时,我得到:
(我仅列出具有值的变量)
| Variable_name | Value |
+--------------------------------------+-----------------------------+
| have_openssl | YES |
| have_ssl | YES |
| performance_schema_show_processlist | OFF |
| ssl_cert | /var/lib/mysql/fullchain.pem | |
| ssl_fips_mode | OFF |
| ssl_key | /var/lib/mysql/privkey.pem
当我运行时mysql > \s,我得到:
mysql Ver 8.0.21 for Win64 on x86_64 (MySQL Community Server - GPL)
Connection id: 66
Current database:
Current user: someUser@someIP
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Using delimiter: ;
Server version: 8.0.26-0ubuntu0.20.04.3 (Ubuntu)
Protocol version: 10
Connection: maraxai.de via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: cp850
Conn. characterset: cp850
TCP port: 3306
Binary data as: Hexadecimal
当我运行 时$ openssl s_client -connect maraxai.de:3306 -servername maraxai.de,我希望获得与 相同的结果$ openssl s_client -connect maraxai.de:443 -servername maraxai.de,即成功握手的完整证书链,但相反,我得到的是:
139990121219392:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 302 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
一些帖子认为,该行SSL handshake has read 5 bytes and written 302 bytes表明 SSL 握手已启动,但由于服务器返回了一些非预期的内容而中止。
为了进一步检查,我使用了openssl s_client -connect maraxai.de:3306 -servername maraxai.de -starttls mysql。第一部分告诉我有关服务器证书的error:num=20:unable to get local issuer certificate信息。此外,我只看到一个证书(cert.pem)。未列出 chain.pem 的中间证书。这很奇怪,因为我使用的是 fullchain.pem,它是 chain.pem 和 cert.pem 中证书的串联。error:num=21:the server certificate is not verified(depth:0)
CONNECTED(00000003)
depth=0 CN = maraxai.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = maraxai.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = maraxai.de
i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
//MIIF...
-----END CERTIFICATE-----
subject=CN = maraxai.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2027 bytes and written 448 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: B157BD91FF0A458D6A546C26CB5665C95CD88B99CE6C66A5D98783642C39EFA4
Session-ID-ctx:
Resumption PSK: CB807FC16CE11EB47FE7BDDD99C71A5AAF1AE5CDC600A127230E914AFC4AE1018A34F72F44741D2440EB4917D5DDD0D7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
// ...0000 - 00e0
Start Time: 1645286635
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
2▒▒#08S01Got timeout reading communication packetsread:errno=0
为了检查证书的颁发者和主体是否设置正确,我运行:
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -print_certs -noout
这里一切看起来都很好:
subject=CN = maraxai.de
issuer=C = US, O = Let's Encrypt, CN = R3
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
此外,对于 privkey.pem,我将密钥格式更改为 PKCS#1,以-----BEGIN RSA PRIVATE KEY-----使用命令获取正确的标头$ openssl rsa -in privkey.pem -out privkey.pem。
我不知道如何进一步调查此问题。如能得到任何帮助我将不胜感激。