Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server Upgrade 5.7.19 -> 5.7.21 causes "Certificate signature check failed" #330

Open
jaccoTopVintage opened this issue Aug 17, 2018 · 5 comments

Comments

Projects
None yet
5 participants
@jaccoTopVintage
Copy link

commented Aug 17, 2018

Steps to reproduce this issue

We run a MySQL server in the cloud (AWS RDS). We recently upgraded this server from version 5.7.19 to 5.7.21.
The MySQL users have been created with the following syntax:

CREATE USER 'user01'@'%' IDENTIFIED BY 'superSecretPassword' REQUIRE SSL;

We configure all clients and tools (including HeidiSQL) to use a CA-Certificate file, effectively forcing said tools to connect as if the following CLI command was issued:

mysql -uuser01 -psuperSecretPassword --host="hostname.eu-west-1.rds.amazonaws.com" --ssl-ca="C:\ssh\rds-combined-ca-bundle.pem" --ssl-mode=VERIFY_CA

Before the server upgrade, all our tools and programs could connect without issue to the MySQL server.
After the upgrade, all our tools and programs except HeidiSQL can connect to the server as expected.

HeidiSQL however gives the error: "SSL connection error: Certificate signature check failed"

Current behavior

When attempting to connect, with a CA-file specified, HeidiSQL gives the error: "SSL connection error: Certificate signature check failed".
(all other tools and programs work as intended)

Expected behavior

When attempting to connect, with a CA-file specified, the connection should be established.

Possible solution

I've no possible solution. We did try overwriting the libmysql.dll file that comes bundled with HeidiSQL with a newer edition (the one that came with MySQL server 5.7.23 installation), as was suggested in some other tickets, but it does not solve the issue.

It could be that the issue is caused by the MySQL's apparent switch from yaSSL to OpenSSL (source:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport)

Environment

  • MySQL server in the cloud (AWS RDS), version 5.7.21
  • User with REQUIRE_SSL flag
  • Client (HeidiSQL) with CA-file specified
  • HeidiSQL version:
    9.5.0.5284 (64-bit)
  • Database system and version:
    MySQL server in the cloud (AWS RDS), version 5.7.21
  • Operating system:
    Hosted in AWS RDS
  • Operating system:
    Windows 10 Professional
@jaccoTopVintage

This comment has been minimized.

Copy link
Author

commented Aug 21, 2018

same issue as #215 ?

@ansgarbecker ansgarbecker added the mysql label Sep 7, 2018

@ansgarbecker ansgarbecker changed the title [MySQL] Server Upgrade 5.7.19 -> 5.7.21 causes "Certificate signature check failed" Server Upgrade 5.7.19 -> 5.7.21 causes "Certificate signature check failed" Sep 7, 2018

@baodad

This comment has been minimized.

Copy link

commented Feb 17, 2019

I'm having the same problem. Yet I can connect just fine to my AWS instance from the command line with:
mysql -h myinstance.rds.amazonaws.com --ssl-ca=my-ca-root.pem -u sa -p

@Irwandi1987

This comment has been minimized.

Copy link

commented Mar 14, 2019

Hi, I also have the same problem, do you know how to fix it ?

image

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented May 23, 2019

Was this tested with v10.1 ? If not, please give it a try.

Also, it may be worth to update then to the latest build, as I pushed 51da7c8 yesterday, now allowing all TLS versions up to v1.3.

@njohnson-una

This comment has been minimized.

Copy link

commented May 24, 2019

I have upgraded to 10.1.0.5573 and I still see the issue (SSL connection error: Certificate signature check failed) with the following keys (as directed to use in https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html):

https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem

When I use the region specific certificates, I am able to connect successfully:

https://s3.amazonaws.com/rds-downloads/rds-ca-2015-us-east-1.pem (for example, complete list in the url above)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.