sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

M.tt · January 24, 2021, 9:42am

Im facing the following error when I try to add MySQL v8 database that requires SSL

Could not connect to address=(host=xx.xx.xx.xx)(port=3306)(type=master) : Could not connect to xx.xx.xx.xx:3306 : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

option Use a secure connection (SSL)? is ON

Additional JDBC connection string options:
mysql -u dashboard -pxxxx --ssl-ca=/mysql_certs/ca.pem --ssl-cert=/mysql_certs/client-cert.pem --ssl-key=/mysql_certs/client-key.pem

flamber · January 24, 2021, 11:45am

Hi @M.tt

That’s incorrect usage of JDBC connection string options - you are inserting a command.
For reference: https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-jdbc-url-format.html

You would probably have to use a Java TrustStore or KeyStore.
For reference: https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html

There’s a request open to add this functionality in Metabase:
https://github.com/metabase/metabase/issues/1350 - upvote by clicking on the first post

M.tt · January 25, 2021, 5:51am

@flamber Thank you for your support. I have done the following.

keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass Jka#i&1

openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name “mysqlclient” -passout pass:Jka#i&1 -out client-keystore.p12

keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass Jka#i&1 -destkeystore keystore -deststoretype JKS -deststorepass Jka#i&1

Additional JDBC connection string options:
clientCertificateKeyStoreUrl=file: /mysql_certs/ clientCertificateKeyStorePassword= Jka#i&1

still got an error, do I have something missing? or my connection string is incorrect?

flamber · January 25, 2021, 10:32am

@M.tt You have spaces in your connection string, so that will not work, and you are not referencing the KeyStore - that’s a directory.

M.tt · January 25, 2021, 12:21pm

@flamber I also tried to reference the KeyStore but same thing. What should I replace the space with? what is the right syntax

flamber · January 25, 2021, 12:28pm

@M.tt No spaces and probably avoid using special characters in the password - something like this:

clientCertificateKeyStoreUrl=file:/mysql_certs/keystore&clientCertificateKeyStorePassword=mypassword

M.tt · January 25, 2021, 1:01pm

@flamber I deleted them & regenerated them with password “mypassword” same error

error:
Could not connect to address=(host=xx.xx.xx.xx)(port=3306)(type=master) : Could not connect to xx.xx.xx.xx:3306 : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

flamber · January 25, 2021, 1:23pm

@M.tt
I don’t know where you are placing the KeyStore, but you are referencing it to /mysql_certs/keystore
If you update the built-in KeyStore, then you don’t need to reference anything, since Java will read that:
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores

M.tt · January 26, 2021, 6:58am

yes, path /mysql_certs/keystore is correct.