MySQL validation

[Nikatik]

You have 2 different ways for validate selfsigned certs or certs with unknown issuer.
--root and --unsecure ;-)

But if you use mysql with tls, they are non-working.
too many positional arguments

So, my case.
I have one offline root ca and two intermediate ca_s: first is offline for myself and second for acme clients by step-ca. I issue cert for mysql from first ica, then configure second ica to work with this mysql. Root cert is installed into system and it is root cert for step-ca (second ica). But step-ca can't validate mysql, because certificate signed by unknown authority...

WTF? How can I avoid this trap?

[maraino]

Hi @Nikatik, what commands are you trying?

If it's step certificate verify the most common usage is:

step certificate verify --roots $(step path)/certs/root_ca.crt certificate.crt
# OR
step certificate verify --roots $(step path)/certs/root_ca.crt https://my.ca
# OR
step certificate verify --roots $(step path)/certs/root_ca.crt tcp://mysql:3306

The certificates present in the certificate.crt or given by the servers should include both the server certificate and the intermediate certificate. Without that, it won't be able to build the full chain until the root.

You can also inspect the full chain with step certificate inspect --bundle <file|url> or download it using step certificate inspect --format pem <file|url>, for example:

$ step certificate inspect --bundle https://google.com
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 75959046339453363611227911452581442111 (0x39252e20e18cd90c0a00000000e8323f)
    Signature Algorithm: SHA256-RSA
        Issuer: C=US,O=Google Trust Services LLC,CN=GTS CA 1C3
        Validity
            Not Before: Jun 22 13:37:09 2021 UTC
            Not After : Sep 14 13:37:08 2021 UTC
        Subject: CN=*.google.com
...

[Nikatik]

step-ca /etc/step-ca/config/ca.json --password-file /etc/step-ca/password.txt

I want to use mysql db with tls. So my config was:

...
 "db": {
		"type": "mysql",
		"dataSource": "MyUser:MyPass@tcp([IPv6]:Port)/MyDB?tls=true&"
	},
...

But my database use cert from the same root as the certificate authority (step-ca).

[maraino]

@dopey do you know if we support this?

[maraino]

@Nikatik looking at the code of the MySQL driver, if you use tls=trueit should use the host truststore, so if Go is looking in the same place that the root is installed then I think it should work.

To see which files and directories Go uses on Linux see https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go

As the last alternative if you cannot get it working you can use tls=skip-verify :(
Take a look at the MySQL driver readme linked above to see if there are more options.

[dopey]

smallstep/nosql#10 -- I remember that another user was able to get tls=true& working.