12

I am attempting to write a PHP script (hosted on a VPS with GoDaddy) that connects to a remote MySQL database (hosted on an Amazon EC2 instance) using SSL.

I generated some certs (as per http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html) and configured my.cnf on the remote/server database like so:

[mysqld]
ssl-ca      =/etc/mysql/ca-cert.pem
ssl-cert    =/etc/mysql/server-cert.pem
ssl-key     =/etc/mysql/server-key.pem

[client]
ssl-ca      =/etc/mysql/ca-cert.pem
ssl-cert    =/etc/mysql/client-cert.pem
ssl-key     =/etc/mysql/client-key.pem

The configuration is working on the remote/server side (that is, a php script running locally to the remote database is able to establish a connection using the generated SSL certs).

However, while I can make an unsecured connection between the PHP script hosted on the VPS and the remote database, I get an error when I try to establish an SSL connection between the same two systems.

If I attempt to connect to the remote database via the command line using:

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem –u ssluser –p

I get the error:

ERROR 2026 (HY000): SSL connection error: Unable to get private key

I get the same error when I attempt to connect to the server via the php script using:

<?php
 $link = mysqli_init();

 $key   = '/home/userName/etc/mysql/certs/client-key.pem' ; 
 $cert  = '/home/userName/etc/mysql/certs/client-cert.pem'; 
 $ca    = '/home/userName/etc/mysql/certs/ca-cert.pem';
 $capath = NULL;
 $cipher = NULL;

 mysqli_ssl_set ( $link , $key , $cert , $ca , $capath , $cipher );
 mysqli_real_connect ($link, $host, $user, $pass, $schema, 3306, NULL, MYSQLI_CLIENT_SSL);
?>

results in the error:

(HY000/2026): SSL connection error: Unable to get private key

I have already attempted a fix as per (forums.mysql.com/read.php?11,400856,401127), but making this change results in a "Segmentation fault".

Is there a step that I've missed? What am I doing wrong?

4

5 回答 5

10

已解决

使用删除了 client-key.pem 密码

openssl rsa -in client-key.pem -out client-key2.pem

按照本网站的说明。

我变了

$key   = '/home/userName/etc/mysql/certs/client-key2.pem' ; 

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key2.pem –u ssluser –p

但不是

[client]
ssl-key     =/etc/mysql/client-key.pem
于 2013-07-22T14:52:47.177 回答
3

我的情况是,server-key.pem 的所有者是 root 而不是 mysql。

于 2018-05-20T18:51:46.703 回答
2

'openssl genrsa'生成 PKCS #1 格式的密钥:

  -----BEGIN RSA PRIVATE KEY-----
    ...

    -----END RSA PRIVATE KEY----- 

'openssl pkey'openssl req -newkey..... 以 PKCS #8 格式生成它:

-----BEGIN PRIVATE KEY----- 
... 

-----END PRIVATE KEY----- 

MySQL 服务器需要 PKCS #1 格式。

在 BEGIN 和 END 之后添加 RSA 为我解决了这个问题。

检查链接以获取详细的mysql论坛

于 2018-03-27T11:50:52.733 回答
1

对我来说,需要将密钥转换为完整的 rsa 格式,而不仅仅是更改标题:

openssl rsa -in client.key -out client.key.rsa

感谢Velkan在 dba exchange 上的回答。

于 2018-10-22T11:12:56.147 回答
0

当您将 SSL CA 文件传递​​给 MySQL 中的 SSL 密钥文件时,也会发生此错误。

MySQL SSL CA 文件

于 2020-03-23T09:58:38.820 回答