Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'occ maintenance:install' fails using MySQL with SSL enabled #19738

Open
solracsf opened this issue Mar 2, 2020 · 7 comments
Open

'occ maintenance:install' fails using MySQL with SSL enabled #19738

solracsf opened this issue Mar 2, 2020 · 7 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug feature: install and update pending documentation This pull request needs an associated documentation update

Comments

@solracsf
Copy link
Member

solracsf commented Mar 2, 2020
edited

Hello everyone,

The installation process fails directly when I enforce SSL for MySQL.

Steps to reproduce

  • Configure MySQL to force SSL connections CREATE USER ... REQUIRE SSL
  • Edit config.php to tell the driver the certificates' location
<?php
$CONFIG = array (
...
  'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_KEY =>'/etc/xxx',
    PDO::MYSQL_ATTR_SSL_CERT =>'/etc/xxx',
    PDO::MYSQL_ATTR_SSL_CA => '/etc/xxx',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
  ),
...
);

Use occ to install

occ maintenance:install \
       --database "mysql" \
       --database-name "db_name" \
       --database-host=127.0.0.1 \
       --database-user "user" --database-pass "password" \
       --admin-user "user" --admin-pass "password"

Actual behaviour

The installation fails with

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [1045] Access denied for user 'USER'@'%' (using password: YES)

and occ maintenance:install modifies the config.php file, turning this part:

  'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_KEY =>'/etc/xxx',
    PDO::MYSQL_ATTR_SSL_CERT =>'/etc/xxx',
    PDO::MYSQL_ATTR_SSL_CA => '/etc/xxx',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
  ),

into

  'dbdriveroptions' => array(
    1007 => '/etc/xxx',
    1008 => '/etc/xxx',
    1009 => '/etc/xxx',
    1014 => false,
  ),

If I do the installation without enforcing SSL for MySQL, and that I define REQUIRE SSL for SQL user and dbdriveroptions AFTER INSTALLATION , everything works fine.

Expected behaviour

It should connect to mySQL server using SSL options defined in config.php
@solracsf solracsf added bug 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Mar 2, 2020
@solracsf solracsf changed the title 'occ maintenance:install' fais using MySQL with SSL enabled 'occ maintenance:install' fails using MySQL with SSL enabled Mar 2, 2020
@solracsf solracsf added feature: install and update and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Mar 2, 2020
@skjnldsv skjnldsv added the 0. Needs triage Pending check for reproducibility or if it fits our roadmap label Aug 20, 2020
@SimplyCorbett
Copy link

SimplyCorbett commented Oct 21, 2020
edited

Can confirm this behavior. Who maintains the ssl portion of mysql?

@ChristophWurst would that be you?? :)

To be fair a proxy mysql server is doable but it would be nice if this worked in NC 20.

@AndrStnz AndrStnz mentioned this issue Oct 28, 2020
Merged
@szaimen
Copy link
Contributor

szaimen commented Jun 17, 2021

I suppose this is still valid?

@tuxmaster5000
Copy link

Yes, because the installer of 21.0.3.1 ignores the dbdriveroptions section.
So in install with ssl from the start it not possible. Only after the installer was run an switch to ssl is possible.

@szaimen szaimen added 1. to develop Accepted and waiting to be taken care of and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap needs info labels Jul 6, 2021
@solracsf solracsf closed this as completed Oct 3, 2022
@szaimen szaimen reopened this Oct 3, 2022
@szaimen

This comment was marked as resolved.

Sign in to view
@szaimen szaimen added needs info 0. Needs triage Pending check for reproducibility or if it fits our roadmap and removed 1. to develop Accepted and waiting to be taken care of labels Jan 9, 2023
@rke00
Copy link

rke00 commented Mar 5, 2023

Hi @szaimen
the problem occur even with latest Version: "25.0.4.1" installed via tar method and using mariadb 10.11 on Ubuntu 22.04

@joshtrichards
Copy link
Member

joshtrichards commented Jun 2, 2023
edited

I think the root of this issue is because the setup process doesn't use the normal db layer.

And the constants being rewritten issue is because the config gets rewritten and their names are lost along the way. That's a mess waiting to happen since a new PHP version could break the constant values (they've already changed before).

Also, that config (which is in our docs and, unfortunately, doesn't say as much) isn't for CREATE USER ... REQUIRE SSL, but for full blown client certificate connections - not just regular SSL sessions. That config is really for a db user created with something like CREATE USER ... REQUIRE SUBJECT '/CN=alice/O=My Dom, Inc./C=US/ST=Oregon/L=Portland' [AND ISSUER ...])

Thus this config is, at best, overkill. I think the reason it works at all is because the db server just ignores (or doesn't ask for) a client cert as long as the user was only created with REQUIRE SSL.

  'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_KEY =>'/etc/xxx',
    PDO::MYSQL_ATTR_SSL_CERT =>'/etc/xxx',
    PDO::MYSQL_ATTR_SSL_CA => '/etc/xxx',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
  ),

In theory either of the below should be sufficient for a basic TLS connection:

For a basic TLS connection (TLS encryption but not verification of the server offered cert):

  'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_CA => '/etc/xxx',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
  ),

The SSL_CA file be set to anything - as long at it something - if VERIFY_CERT is false.

For a basic TLS connection with verification of the server offered cert:

  'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_CA => '/etc/xxx',
  ),

Apparently SSL based connects to db servers are rare because I can't find any other bug reports about this. 😄

@karelkryda
Copy link

karelkryda commented Sep 22, 2023
edited

It took me a few hours to find this issue and thanks to you solved the broken Nextcloud installation.

I can confirm that this problem is also included in the latest version (27). To solve this, it was enough to temporarily disable require_secure_transport in the MariaDB configuration file. After installation, I turned this option back on and used dbdriveroptions in the Nextcloud configuration file to set the path to the certificates and everything works.

@joshtrichards joshtrichards added the pending documentation This pull request needs an associated documentation update label Sep 28, 2023
@joshtrichards joshtrichards mentioned this issue Oct 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug feature: install and update pending documentation This pull request needs an associated documentation update
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@tuxmaster5000 @joshtrichards @SimplyCorbett @solracsf @skjnldsv @szaimen @karelkryda @rke00