M.tt
January 24, 2021, 9:42am
1
Im facing the following error when I try to add MySQL v8 database that requires SSL
Could not connect to address=(host=xx.xx.xx.xx)(port=3306)(type=master) : Could not connect to xx.xx.xx.xx:3306 : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
option Use a secure connection (SSL)? is ON
Additional JDBC connection string options:
mysql -u dashboard -pxxxx --ssl-ca=/mysql_certs/ca.pem --ssl-cert=/mysql_certs/client-cert.pem --ssl-key=/mysql_certs/client-key.pem
flamber
January 24, 2021, 11:45am
2
Hi @M.tt
That’s incorrect usage of JDBC connection string options - you are inserting a command.
For reference: https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-jdbc-url-format.html
You would probably have to use a Java TrustStore or KeyStore.
For reference: https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html
There’s a request open to add this functionality in Metabase:
https://github.com/metabase/metabase/issues/1350 - upvote by clicking on the first post
M.tt
January 25, 2021, 5:51am
3
@flamber Thank you for your support. I have done the following.
keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass Jka#i&1
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name “mysqlclient” -passout pass:Jka#i&1 -out client-keystore.p12
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass Jka#i&1 -destkeystore keystore -deststoretype JKS -deststorepass Jka#i&1
Additional JDBC connection string options:
clientCertificateKeyStoreUrl=file: /mysql_certs/ clientCertificateKeyStorePassword= Jka#i&1
still got an error, do I have something missing? or my connection string is incorrect?
flamber
January 25, 2021, 10:32am
4
@M.tt You have spaces in your connection string, so that will not work, and you are not referencing the KeyStore - that’s a directory.
M.tt
January 25, 2021, 12:21pm
5
@flamber I also tried to reference the KeyStore but same thing. What should I replace the space with? what is the right syntax
flamber
January 25, 2021, 12:28pm
6
@M.tt No spaces and probably avoid using special characters in the password - something like this:
clientCertificateKeyStoreUrl=file:/mysql_certs/keystore&clientCertificateKeyStorePassword=mypassword
M.tt
January 25, 2021, 1:01pm
7
@flamber I deleted them & regenerated them with password “mypassword” same error
error:
Could not connect to address=(host=xx.xx.xx.xx)(port=3306)(type=master) : Could not connect to xx.xx.xx.xx:3306 : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
@M.tt
I don’t know where you are placing the KeyStore, but you are referencing it to /mysql_certs/keystore
If you update the built-in KeyStore, then you don’t need to reference anything, since Java will read that:
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores
M.tt
January 26, 2021, 6:58am
9
yes, path /mysql_certs/keystore is correct.