14

I am attempting to write a PHP script (hosted on a VPS with GoDaddy) that connects to a remote MySQL database (hosted on an Amazon EC2 instance) using SSL.

I generated some certs (as per http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html) and configured my.cnf on the remote/server database like so:

[mysqld]
ssl-ca      =/etc/mysql/ca-cert.pem
ssl-cert    =/etc/mysql/server-cert.pem
ssl-key     =/etc/mysql/server-key.pem

[client]
ssl-ca      =/etc/mysql/ca-cert.pem
ssl-cert    =/etc/mysql/client-cert.pem
ssl-key     =/etc/mysql/client-key.pem

The configuration is working on the remote/server side (that is, a php script running locally to the remote database is able to establish a connection using the generated SSL certs).

However, while I can make an unsecured connection between the PHP script hosted on the VPS and the remote database, I get an error when I try to establish an SSL connection between the same two systems.

If I attempt to connect to the remote database via the command line using:

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem –u ssluser –p

I get the error:

ERROR 2026 (HY000): SSL connection error: Unable to get private key

I get the same error when I attempt to connect to the server via the php script using:

<?php
 $link = mysqli_init();

 $key   = '/home/userName/etc/mysql/certs/client-key.pem' ; 
 $cert  = '/home/userName/etc/mysql/certs/client-cert.pem'; 
 $ca    = '/home/userName/etc/mysql/certs/ca-cert.pem';
 $capath = NULL;
 $cipher = NULL;

 mysqli_ssl_set ( $link , $key , $cert , $ca , $capath , $cipher );
 mysqli_real_connect ($link, $host, $user, $pass, $schema, 3306, NULL, MYSQLI_CLIENT_SSL);
?>

results in the error:

(HY000/2026): SSL connection error: Unable to get private key

I have already attempted a fix as per (forums.mysql.com/read.php?11,400856,401127), but making this change results in a "Segmentation fault".

Is there a step that I've missed? What am I doing wrong?

Improve this question

5 Answers 5

Reset to default
10

RESOLVED:

removed the client-key.pem passphrase using 

openssl rsa -in client-key.pem -out client-key2.pem

as per the instructions at this website.

I changed

$key   = '/home/userName/etc/mysql/certs/client-key2.pem' ;

and

mysql -h hostIP --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key2.pem –u ssluser –p

but not

[client]
ssl-key     =/etc/mysql/client-key.pem
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I think the first command should have as an output client-key2.pem with a dash, not an underscore.
You can convert the original key in-place: openssl rsa -in client-key.pem -out client-key.pem
as at OpenSSL 1.0.2k 26 Jan 2017, this command demands a password and won't complete without it.
3

I my case, the owner of server-key.pem was root and not mysql.

Improve this answer

Comments

2

For me the key needed to be converted to full rsa format, not just changing the headers:

openssl rsa -in client.key -out client.key.rsa

Thanks to Velkan over on dba exchange for that answer.

Improve this answer

Comments

2

'openssl genrsa' generates key in PKCS #1 format:

  -----BEGIN RSA PRIVATE KEY-----
    ...

    -----END RSA PRIVATE KEY-----

While 'openssl pkey' or openssl req -newkey..... generate it in PKCS #8 format:

-----BEGIN PRIVATE KEY----- 
... 

-----END PRIVATE KEY-----

And MySQL Server expects PKCS #1 format.

Adding RSA after BEGIN and END solved the issue for me.

Check link for detail mysql forum

Improve this answer

Comments

0

This error also occurs when you pass SSL CA file to SSL Key File in MySQL.

MySQL SSL CA file

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.