Secure connection SSL

lok113 · January 12, 2024, 2:43pm

Hi everyone!
I have a Cloud SQL ( MySQL 8.0) in GCP.
I want to use a secure connection - for this, I enabled the SSL
when I try to configure this connection in the metabase I get an error

> Could not connect to address=(host=xx.xxx.xx.xx)(port=3306)(type=master) : (conn=6121) SSL hostname verification failed : IPv4 host "xx.xxx.xx.xx" doesn't correspond to certificate CN "database:staging-mysql8" This verification can be disabled using the option "disableSslHostnameVerification" but won't prevent man-in-the-middle attacks anymore

is there any other way or possibility to connect to my database without using disableSslHostnameVerification=1 key?

Luiggi · January 15, 2024, 12:19pm

yes, try generating a certificate with the correct canonical name

lok113 · January 15, 2024, 3:04pm

Please explain what should be here as a "correct canonical name"?
I can't generate a cert with name like " database:staging-mysql8"

Luiggi · January 17, 2024, 1:31am

the certificate should have the fqdn of the database in order for the certificate not to fail

sgrobins · May 2, 2024, 8:38pm

I am running into the same issue. I am using Google Cloud SQL. When creating the certificate from Google Cloud, there is no option to qualify the name. It just gave me a client-key.pem, client-cert.pem and a server-cs.pem file.

Do you know what I need to do?

lok113 · May 3, 2024, 6:39pm

Hi
I don't know exactly your setup, but let's say that you are using an instance with MB on it and GCP SQL
in MB settings in Additional JDBC connection string options
use next
disableSslHostnameVerification=true&sslca=/folder/server-ca.pem&sslcert=/folder/client-cert.pem&sslkey=/folder/client-key.pem
you need to put these 3 files into your instance
and then lmk if it works

sgrobins · May 3, 2024, 9:19pm

We are using Metabase Cloud connecting to Google Cloud SQL. so there is no where to put the server-ca.pem, client-cert.pem and client-key.pem. I tried putting the values into the section shown here:

But I get the following error when I do:
Could not connect to address=(host=[HIDDEN])(port=3306)(type=master) : (conn=85048) SSL hostname verification failed : IPv4 host "[HIDDEN]" doesn't correspond to certificate CN "[HIDDEN]" and SAN[{DNS:"[HIDDEN]"}] This verification can be disabled using the option "disableSslHostnameVerification" but won't prevent man-in-the-middle attacks anymore

Luiggi · May 3, 2024, 9:58pm

you're running into Metabase can't connect to MySQL with SSL · Issue #9629 · metabase/metabase · GitHub

sgrobins · May 3, 2024, 10:13pm

Thank you. I got it working. I addd the disableSslHostnameVerification=true to the JDBC options. Not perfect, but at least now my database in GCP will only accept SSL connections.

Luiggi · May 3, 2024, 10:19pm

Also, please contact support when you have issues, remember that you get priority support when running on our cloud while the forum is just best effort