Do not use letsencrypt's certs on phpMyAdmin, use MariaDB certs instead

[php - Problem with the phpMyAdmin ssl configuration - Stack Overflow] - [phpMyAdmin with SSL (HTTPS and mysql client) on Nginx - Server Fault]
My Issue: Problem with the phpMyAdmin ssl configuration - phpMyAdmin with SSL (HTTPS and MariaDB client) on Apache - FreeBSD 12.2
You don't set an SSL certificate for phpMyAdmin for HTTPS - it is a web app - not a web server. Apache stores the certificates and terminates/unwraps the SSL.
The HTTPS session you are using is between your PC and Apache - it is nothing to do with phpMyAdmin. Your phpMyAdmin vhost is using whatever certificate you defined in Apache
HTTPS != SSL insofar as phpMyAdmin's configuration is concerned.
The setting you referred to is specifically for an SSL connection between phpMyAdmin and MySQL - which if is on localhost, isn't all too relevant anyway.
This means that I should not use the letsencrypt certificates - I must be use MariaDB certificates
Solved: In openssl create certs on "server FQDN" must be: "MariaDB admin" - "real server FQDN" - "MariaDB user" - Then can login phpMyAdmin with "ssl_verify = true" without issues
https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/ - This was my guide with some adjusts.

1 Like

Could you please clarify what "MariaDB certs" actually are?

Also, why use those certs anyway, if MariaDB is running on localhost? My own MySQL has skip-networking enabled and all clients on localhost use sockets to connect to it..

2 Likes

I think he wants to use "secure connections for client and server"

2 Likes

I still have a hard time determining what really the issue is or was.. The rather unstructured OP talks about certs for phpMyAdmin, which are handled in Apache indeed. No real issue there as that's just plain and simple.

However, the thread title contains a rather strange "conclusion". It doesn't mention Apache with regard to phpMyAdmin, but mentions those "MariaDB certs" in the same sentence. Which is, IMHO very confusing, also to future readers which might come across this title when searching for example.

So I'd like to know more of the background from @wmoreno3 about this before I make assumptions if I'd choose to change the thread title.

3 Likes

I will try to clarify - I spend a lots of time tried setting ready phpMyAdmin with MariaDB, on FreeBSD 12.2, In order to get no errors in phpMyAdmin Server connection: SSL is used I found a lot of users tried to set cert.pem and privkey.pem from letsencrypt for client --> server connection, and openssl CA for ca-cert.pem, because phpMyAdmin script config couldn't read "chain.pem" from letsencrypt, the issue is to configure phpMyAdmin with letsencrypt certs indeed: " Creating SSL Certificates and Keys Using openssl"

:

1 Like

I'm still confused @wmoreno3, because I still have the feeling you're still mixing two distinct connection phases together. Or at least I'm not really able to pull them apart.

There are two connections in the scenario where a webbrowser is used to view a SQL database:

  • Between the webbrowser of the user and (in this case) Apache, the webserver running PHP with the app phpMyAdmin;
  • Between the PHP SQL client and the MariaDB SQL server.

For the FIRST one, Let's Encrypt is obviously a good choise, as it's publically recognised in all major webbrowsers and can be configured in your webserver Apache.

The second one is a whole different story: if the SQL client and SQL server are running on the same machine, a secure connection is useless. If that's not the case and a secure connection is desirable, it's best to generate a private CA with e.g. OpenSSL, as the SQL client as well as the SQL server are under the users own controle. Let's Encrypt usually does not play a role in this part what so ever.

Why am I still confused by your post? Well, for example:

I'm not sure if that phpMyAdmin message is a good thing or if it's an error mentioned earlier in that sentence, as it doesn't really look like an error message.

Which client --> server connection? From webbrowser to webserver? Or from PHP to MariaDB? See my narrative above.

I'm not sure what to think of this and what the relation with the issue is. I genuinly don't understand what's meant by this.

Here you're mentioning "letsencrypt certs" and "creating certs/keys using openssl" in the same sentence, which is highly confusing to me. You can't generate Let's Encrypt certificates with just OpenSSL. Especially within this discussion, OpenSSL is mainly used for generating a private CA with private, self signed certificates and not publically trusted Let's Encrypt certificates for use between PHP and MariaDB.

2 Likes

Welcome to the Let's Encrypt Community, William :slightly_smiling_face:

To supplement what @Osiris has mentioned, I'll try to provide some context.

A Let's Encrypt certificate serves only one purpose: to map a public key to a particular set of (sub)domain names.

Hence, the only thing that should be presenting a Let's Encrypt certificate (to a client of some kind, like a web browser) is a server responding to a request made to a (sub)domain name listed in the certificate.

A Let's Encrypt certificate should not be used simply when a TLS/SSL certificate is needed for some purpose. The value of a Let's Encrypt certificate (or any certificate from a publicly trusted CA for that matter) is that Let's Encrypt (or whatever CA issued the certificate) will vouch for the mapping of the public key in the certificate to the (sub)domain names listed in the certificate as well as indicate if the certificate has been revoked. If the way you are trying to use a Let's Encrypt certificate is not for this purpose, you are likely using the wrong certificate for the job.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.