Skip to content

Enable Magento 2 to connect MySQL through SSL. #25398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 6, 2019
Merged

Enable Magento 2 to connect MySQL through SSL. #25398

merged 3 commits into from
Nov 6, 2019

Conversation

nmalevanec
Copy link
Contributor

Original PR #18075

Enable Magento 2 to connect MySQL through SSL.

Description

We have made some modification to enable Magento 2 connect MySQL through SSL.

During the installation, there was no option to force MySQL connection through SSL. With this PR, the following options will be enabled for you to use SSL.

bin/magento setup:install \
	--db-host=<MYSQL_HOST> \
	--db-name=<MYSQL_DATABASE> \
	--db-user=<MYSQL_USERNAME> \
	--db-password=<MYSQL_PASSWORD> \
	--db-ssl-key=<MYSQL_CLIENT_KEY> \
	--db-ssl-cert=<MYSQL_CLIENT_CERT> \
	--db-ssl-ca=<MYSQL_SERVER_CERT>

Fixed Issues (if relevant)

  1. Magento 2 and SSL connection to MySQL #13561: Magento 2 and SSL connection to MySQL

Manual testing scenarios

There are two scenarios to test this feature. First one is by installing Magento via command-line, and the second one is using the Magento Setup UI via browser.

1. Installing via Command-line

  1. Install a MySQL server which accepts connections through SSL.
  2. Copy these files into a folder which is accessible by Magento: client-key.pem, client-cert.pem, ca.pem.
  3. Install a fresh Magento with the following command-line command:
bin/magento setup:install \
	--db-host=<MYSQL_HOST> \
	--db-name=<MYSQL_DATABASE> \
	--db-user=<MYSQL_USERNAME> \
	--db-password=<MYSQL_PASSWORD> \
	--db-ssl-key=<PATH/TO/CLIENT-KEY.pem> \
	--db-ssl-cert=<PATH/TO/CLIENT-CERT.pem> \
	--db-ssl-ca=<PATH/TO/CA.pem>
  1. Observe that driver_options is added into env.php file.

2. Installing via Magento Setup UI

  1. Install a MySQL server which accepts connections through SSL.
  2. Copy these files into a folder which is accessible by Magento: client-key.pem, client-cert.pem, ca.pem.
  3. Install a fresh Magento via Setup UI.
    screencapture-magento2-local-setup-2018-09-16-10_04_56
  4. Observe that driver_options is added into env.php file.

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

@m2-assistant
Copy link

m2-assistant bot commented Oct 31, 2019

Hi @nmalevanec. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

  • @magento give me test instance - deploy test instance based on PR changes
  • @magento give me 2.3-develop instance - deploy vanilla Magento instance

For more details, please, review the Magento Contributor Guide documentation.

@VladimirZaets VladimirZaets added the Auto-Tests: Covered All changes in Pull Request is covered by auto-tests label Oct 31, 2019
@ghost ghost assigned VladimirZaets Oct 31, 2019
@magento-engcom-team
Copy link
Contributor

Hi @VladimirZaets, thank you for the review.
ENGCOM-6218 has been created to process this Pull Request

magento-engcom-team pushed a commit that referenced this pull request Nov 6, 2019
@VladimirZaets
ENGCOM-6218: Enable Magento 2 to connect MySQL through SSL. #25398
d405adb
@magento-engcom-team magento-engcom-team merged commit 91d5327 into magento:2.3-develop Nov 6, 2019
@m2-assistant
Copy link

m2-assistant bot commented Nov 6, 2019

Hi @nmalevanec, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

@magento-engcom-team magento-engcom-team added this to the Release: 2.3.4 milestone Nov 6, 2019
@jeff-matthews jeff-matthews mentioned this pull request Nov 6, 2019
Closed
@jeff-matthews
Copy link
Contributor

Hi @bnymn! It looks like this feature needs docs. We would love it if you created a PR to devdocs as well. See magento/devdocs#5951.

@sdzhepa sdzhepa mentioned this pull request Nov 13, 2019
Closed
This was referenced Nov 16, 2019
Closed
Merged
@hostep hostep mentioned this pull request Feb 27, 2020
Closed
@xpoback xpoback mentioned this pull request Apr 24, 2020
Closed
@davidalger
Copy link
Member

In case others run across this and wonder how to configure this apart from running setup:install, the following is what I did on an EL7 system moments ago to successfully connect a 2.3.4 site to Azure Database for MariaDB which is configured to enforce SSL connections:

bin/magento setup:config:set --db-ssl-verify --db-ssl-ca=/etc/pki/tls/certs/ca-bundle.crt

What this does is add the following to the app/etc/env.php file:

<?php
return [
    'db' => [
        'connection' => [
            'default' => [
                // lots of other config here
                'driver_options' => [
                    1014 => true,
                    1009 => '/etc/pki/tls/certs/ca-bundle.crt'
                ]
            ]
        ]
    ]
];

This did not work by itself, and I also had to add these same driver_options to the indexer connection (which I did by hand). Running a cache:flash failed without them in the default connection, and an app:config:import (and presumably a ton of other things) failed without them on the indexer connection. They need to be repeated on each connection for this to work.

<?php
return [
    'db' => [
        'connection' => [
            'indexer' => [
                // lots of other config here
                'driver_options' => [
                    1014 => true,
                    1009 => '/etc/pki/tls/certs/ca-bundle.crt'
                ]
            ],
            'default' => [
                // lots of other config here
                'driver_options' => [
                    1014 => true,
                    1009 => '/etc/pki/tls/certs/ca-bundle.crt'
                ]
            ]
        ]
    ]
];

These options correspond to these PDO options:

Integer Value PDO Constant
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT 1014
PDO::MYSQL_ATTR_SSL_CA 1009

@davidalger davidalger mentioned this pull request Jul 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VladimirZaets VladimirZaets VladimirZaets approved these changes

@buskamuza buskamuza Awaiting requested review from buskamuza

@paliarush paliarush Awaiting requested review from paliarush

Assignees

@VladimirZaets VladimirZaets

Labels
Auto-Tests: Covered All changes in Pull Request is covered by auto-tests Component: Config Component: Setup Progress: accept Release Line: 2.3
Projects
None yet
Milestone
Release: 2.3.4
Development

Successfully merging this pull request may close these issues.
7 participants
@nmalevanec @magento-engcom-team @jeff-matthews @davidalger @VladimirZaets @bnymn @Nazar65