Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mysql: TLS without certificates (no client-cert, no server-cert-verify) is not possible #63429

Open
keiki85 opened this issue Feb 20, 2023 · 6 comments
Open

mysql: TLS without certificates (no client-cert, no server-cert-verify) is not possible #63429

keiki85 opened this issue Feb 20, 2023 · 6 comments
Labels
area/configuration For issues concerning configuring Grafana area/datasource datasource/MySQL type/bug

Comments

@keiki85
Copy link

keiki85 commented Feb 20, 2023
edited

What happened:
Since the database was switchted to TLS only mode "--require_secure_transport=ON" I can't connect to it anymore with Grafana.
MySQL clients like Workbench or IntelliJ are automatically using TLS and connecting without any issue.
Error message:
“logger=tsdb.mysql t=2023-01-16T10:32:40.287979533+01:00 level=error msg=“Query error” error=“Error 3159: Connections using insecure transport are prohibited while --require_secure_transport=ON.””

What you expected to happen:
I can connect to MySQL.

How to reproduce it (as minimally and precisely as possible):
I'm not sure yet. I guess you need to configure a MySQL instance with said flag.

Anything else we need to know?:
I tried to get an answer in the forum but it didn't help https://community.grafana.com/t/cant-connect-to-mysql-datasource-since-switch-to-require-secure-transport-on-mode/79748

Environment:

  • Grafana version: 9.3.6 (taken from arch AUR)
  • Data source type & version: dunno where to get this information
  • MySQL DBMS: Report from IntelliJ connection:
MySQL (ver. 8.0.28-19.1)
Case sensitivity: plain=exact, delimited=exact
Driver: MySQL Connector/J (ver. mysql-connector-java-8.0.25 (Revision: 08be9e9b4cba6aa115f9b27b215887af40b159e0), JDBC4.2)
  • OS Grafana is installed on: Arch Linux
  • User OS & Browser: Endeavor OS which is based on arch
  • Grafana plugins: No extra

Thank you very much.
@keiki85 keiki85 changed the title Can Can't connect to Mysql Datasource since switch to TLS only. Mysql Errorcode 3159 Feb 20, 2023
@tonypowa
Copy link
Contributor

👋 Thanks for creating this issue, @keiki85

would it make any difference to try a different method? what if you provisioned mysql data source (with TLS) in a yaml file?

@tonypowa tonypowa added needs more info Issue needs more information, like query results, dashboard or panel json, grafana version etc datasource/MySQL labels Feb 24, 2023
@keiki85
Copy link
Author

keiki85 commented Mar 2, 2023

@tonypowa Thanks for the reply and sorry for my late answer.

I get the same issue with provisioning. With my understanding Grafana is doing the same.

Do you have more options with provisioning which I didn't see? On provisioning I didn't find more options regarding TLS.

In my MySQL clients I use (MySQL workbench and IntelliJ using JDBC underneath) I don't need to specify the use of TLS as it automatically is used.

@keiki85
Copy link
Author

keiki85 commented Mar 2, 2023
edited

If I understand the grafana code correct than you specify the "tls" parameter for your MySQL library is only set when certificates are provided. In my case I don't need to provide them. That's why tls is not set and kept at default "false". See https://github.com/go-sql-driver/mysql#usage in the chapter tls.
Code at: pkg/tsdb/mysql/mysql.go:108

The "normal" MySQL client has "preferred" as default configuration. So it will automatically use TLS if available. https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html

For Mysql JDBC library it's the same behavior since 8.0.13 according to https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html

@tonypowa
Copy link
Contributor

tonypowa commented Mar 3, 2023

hi @keiki85

thanks for the additional notes

however, I am unable the replicate the same environment from my side, so i will seek help from the BI squad, that supports questions related to mysql as a datasource.

they will get in touch with you

@tonypowa tonypowa removed the needs more info Issue needs more information, like query results, dashboard or panel json, grafana version etc label Mar 3, 2023
@keiki85
Copy link
Author

keiki85 commented Mar 6, 2023
edited

Thank you for your reply.

I got grafana working locally by using following code change. Basically setting tls to preferred when the specific TLS config is not applicable.

Index: pkg/tsdb/mysql/mysql.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/tsdb/mysql/mysql.go b/pkg/tsdb/mysql/mysql.go
--- a/pkg/tsdb/mysql/mysql.go	(revision 211a999a2a6724185acb650f7fd7ec487d460208)
+++ b/pkg/tsdb/mysql/mysql.go	(date 1678092717941)
@@ -106,6 +106,8 @@
 				return nil, err
 			}
 			cnnstr += "&tls=" + tlsConfigString
+		} else {
+			cnnstr += "&tls=preferred"
 		}
 
 		if dsInfo.JsonData.Timezone != "" {

@codeincarnate codeincarnate self-assigned this Jun 12, 2023
@codeincarnate codeincarnate removed their assignment Aug 1, 2023
@grafana grafana deleted a comment from Shionigami Aug 24, 2023
@gabor gabor added the type/bug label Oct 23, 2023
@gabor gabor changed the title Can't connect to Mysql Datasource since switch to TLS only. Mysql Errorcode 3159 mysql: TLS without certificates (no client-cert, no server-cert-verify) is not possible Oct 23, 2023
@gabor gabor mentioned this issue Oct 31, 2023
Open
@rmacian
Copy link

rmacian commented Feb 26, 2024
edited

Does this will be assigned ? I've ran onto the same problem when trying to configure a mysql datasource when secure tranport is enabled using 9.4.17. I've tested so far 9.5 and 10.2.1 with same result
[xorm] [info] 2024/02/26 13:29:32.122745 PING DATABASE mysql logger=tsdb.mysql t=2024-02-26T13:29:32.152392869Z level=error msg="Query error" error="Error 3159: Connections using insecure transport are prohibited while --require_secure_transport=ON." logger=context userId=1 orgId=1 uname=admin t=2024-02-26T13:29:32.15256

@usmangt usmangt added triage/needs-confirmation used for OSS triage rotation - reported issue needs to be reproduced area/configuration For issues concerning configuring Grafana area/datasource and removed triage/needs-confirmation used for OSS triage rotation - reported issue needs to be reproduced labels Feb 27, 2024
@gabor gabor mentioned this issue Feb 27, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/configuration For issues concerning configuring Grafana area/datasource datasource/MySQL type/bug
Projects
OSS Big Tent
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gabor @codeincarnate @rmacian @keiki85 @tonypowa @usmangt