I have an issue with SSL connection for phpmyadmin and mysql.
The domain has been provided via my ISP, unrelated to Let's Encrypt in any way except that I use CertBot to establish a SSL connection with my services.
- Im running Ubuntu Server 23.10 in a VirtualBox.
- I use Nginx for hosting a https website
- I have installed php8.2-fpm to properly configure nginx with phpmyadmin
- I have generated my certificates via Certbot (v2.7.4)
- I tried using LE's root CAs to authenticate pma with my server, sadly to no results.
If the domain name is needed, I will provide it in the next message.
All configs (PMA, MySQL): /etc/mysql/mysql.conf.d/mysqld.cnf · paste.gg
I am not sure this forum is the best place for your query. Can you describe more details about what the "issue" and what "sadly no results" means?
Because it looks to me like SSL is not enabled. Looking at your imgur link I see MySQL saying "SSL is not being used". This is repeated in the PMA Server Info.
This seems more a question to ask on a MySQL forum or similar.
A warning to other volunteers is the imgur link is flooded with ads. I am glad I used my VM sandbox to look at it
Hmm, never had any issues with ads on imgur even when creating the link.
In any case the connection cannot be established due to some issue with certificate most likely. This is the right forum to ask for such issues.
The issue is that LE certs dont want to work with PMA and Mysql for some reason.
All the related info is in the imgur link due to the forum's embed limit for new users.
This is the forum to ensure you can get and renew your cert.
[which it sounds like you are already able to do]
How a cert is used varies plenty.
And if you switch your LE cert for someone else's cert...
Wouldn't you still have this exact same problem?
If so, then it has nothing to do with the cert.
There are other Free ACME Certificate Authorities to choose from
Based on the information provided, I can only assume this is your first-time using SSL with MySQL.
If not, please let me know how you managed to get it going previously.
If it is your first time, what guide are you following?
My only advice (so far) is for you to use:
[from what I saw, you are only using two of those settings]
Sorry, one more piece of advice: Ensure that your certificate type can be handled by MySQL.
[Note: There are two types of certs - RSA and ECDSA]
You're right, its my first time. Im following the mysql guide for connecting ssl to it
Yeah here comes the real problem.
Where can I get the
ca certificate for
ssl_ca field? LE's Root CA doesn't seem to work with mysql/pma.
I guess I need to take some additional steps for it to work.
I also don't know what
ssl_cipher is supposed to be.
My cert type is ECDSA I guess (its not RSA due to its header and inability to verify RSA cert with cert as input)
Try reissuing an RSA cert and using that one instead.
We're all looking at the server side currently, but why not look at the client for a change?
@xTracer What error do you get when you use
mysql --ssl-mode=REQUIRED as the client?
Sorry for that nooby question but... how can I issue a RSA cert instead of the ECDSA one from Certbot?
When I require ssl connection from server via
require_secure_transport=ON, then this error pops up
From: User Guide — Certbot 2.7.0.dev0 documentation (eff-certbot.readthedocs.io)
I'd use both [to be sure], add:
--key-type rsa --rsa-key-size 2048
Adding a default value, "just to be sure"?
Anyway, your MySQL daemon should also have something to say about the failing TLS/SSL I'm hoping.
[ERROR] [MY-000059] [Server] SSL error: Unable to get certificate from '/etc/letsencrypt/live/mydomain/fullchain.pem
[Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
[Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: Unable to get certificate
[Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'
Sadly, it did not change anything. It is still not considered a RSA certificate
What was the full command that you ran?
sudo certbot certificates
certbot --key-type rsa --rsa-key-size 2048