Reputation: 31
Getting "ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation" when try to connect to localhost mysql server
I followed the article http://www.madirish.net/214 , generated server certificates as
ssl-ca=server.csr
ssl-cert=server.cert
ssl-key=server.key
and client certificate as ssl-ca=client.csr
ssl-cert=client.cert
When I try to connect mysql client I got the below result :
[root@sumit mysql-cert]# mysql -uroot -padmin --ssl-ca=/etc/ssl/mysql-cert/client.csr --ssl-cert=/etc/ssl/mysql-cert/client.cert --ssl-key=/etc/ssl/mysql-cert/server.key
Warning: Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
I tried same command from remote machine and got the below error
ERROR 2026 (HY000): SSL connection error Help me to get out of this .
Upvotes: 3
Views: 14259
Answers (2)
Reputation: 11046
I encountered the same bad signature error for a set of certs and client / sever environments which previously worked fine. I assumed that something must have changed in one the environments that I wasn't accounting for, since the files and methods of using them were all identical. After wasting a lot of time, I discovered the CA had simply expired! I must have accidentally messed up the expiration settings when generating the certs. In an ideal world, this error message would say something more meaningful, but since it does not - here's an important couple of (obvious) steps to take if you encounter this nebulous error:
Try validating your certs against the CA:
sudo openssl verify -CAfile [CA PATH] [CERT PATH]
Try viewing the CA as text:
sudo openssl x509 -in [CA PATH] -text -noout
Upvotes: 1
Reputation: 478
As Charley noted, I think that .csr file is just wrong—I ran into the same issue trying to follow that same article (and met with the same error). I followed this article (https://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html) for generating the keys and certs, and that worked. The gist:
# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca-cert.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
shell> openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
shell> openssl rsa -in server-key.pem -out server-key.pem
shell> openssl x509 -req -in server-req.pem -days 3600 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
shell> openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
shell> openssl rsa -in client-key.pem -out client-key.pem
shell> openssl x509 -req -in client-req.pem -days 3600 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Then ca-cert.pem is ssl-ca on both sides, the server gets server-[key/cert].pem for ssl-cert and ssl-key, and the client gets the client ones.
Upvotes: 2
Related Questions
- What does this error mean in mariadb ssl :: ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
- MySQL ERROR 2026 - SSL connection error - Ubuntu 20.04
- Connecting to MySQL on localhost with --ssl-verify-server-cert returns "SSL certificate validation failure"
- Mysql SSL connection specific problem with using certificates
- "ERROR 2026 (HY000): SSL connection error" when connecting to MySQL through some networks, but not others
- mysql ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
- mysql --ssl-verify-server-cert=true is returning "SSL certificate validation failure"
- MySQL and SSL connection failing ERROR 2026 (HY000)
- Mysql ssl connection with real connect giving error
- Cant connect to MySQL when using SSL