Closed aguthrie closed 1 day ago
we were able to get this working by configuring the files this way:
/var/lib/proxysql/proxysql-ca.pem - intermediate CA
/var/lib/proxysql/proxysql-cert.pem - cert
/var/lib/proxysql/proxysql-key.pem - key
i.e. removing the root CA from the proxysql files. I'm now successfully able to connect with sql-mode VERIFY_CA
A clear description of the issue
we are attempting to use a custom ca + cert + key for frontend SSL. instead of a single cert, we are using a cert chain with an intermediate cert, but we are unable to successfully establish app -> ProxySQL connections with SSL
ProxySQL version
ProxySQL version 2.6.3-107-gcdfcfdc, codename Truls
OS version
debian 12 (Docker)
The steps to reproduce the issue
our cert chain is setup as follows: root CA -> intermediate CA -> cert
I've added the certs into the proxysql files as follows:
ProxySQL successfully starts and loads the certs:
however, I'm not able to connect with SSL using mysql:
switching ssl-mode to REQUIRED works fine. so the issue only occurs with ssl-mode VERIFY_CA
I believe the issue occurs due to how proxysql loads the cert files here: https://github.com/sysown/proxysql/blob/adde80966c11b738d8445673d0c82302a10bf326/src/proxy_tls.cpp#L189-L214
the
PEM_read_bio_X509
function only loads a single cert from the file. if the file contains multiple certs (like ours does), it must be called multiple times. exampleThe full ProxySQL error log
there are not any ProxySQL errors when this occurs, only client errors