ProxySQL 2.7.1 not honoring SSL settings

[Dwayne Rightler]

I configured ProxySQL to point to existing ca/cert/key paths, and it still used the self-signed certificate.  I tried to stop proxysql, remove the self-signed certificate files, and restart proxysql, but it just created a new self-signed certificate and used it.  My work around was to symlink the proxysql-ca.pem, proxysql-cert.pem, and proxysql-key.pem to the real certificates.  After that, proxysql presented the real certificate.  I have confirmed that the global variables for mysql-ssl_p2s_ca, mysql-ssl_p2s_cert, and mysql-ssl_p2s_key are set in both runtime and memory.   Any ideas?

[René Cannaò]

Hi Dwayne,

Thank you for your interest in ProxySQL.

Because you mention mysql-ssl_p2s_ca, mysql-ssl_p2s_cert, and mysql-ssl_p2s_key variables, I would assume you are confusing certificates that ProxySQL uses to connect to backends (mysql-ssl_p2s_ca, mysql-ssl_p2s_cert, and mysql-ssl_p2s_key : "p2s" is a shortcut for "proxysql to server") with the certificates that ProxySQL uses when clients connect to ProxySQL (proxysql-ca.pem, proxysql-cert.pem, and proxysql-key.pem in the datadir).

Variables mysql-ssl_p2s_ca, mysql-ssl_p2s_cert, and mysql-ssl_p2s_key (and others!) can be modified to specify paths for various certificates that ProxySQL will use to connect to MySQL backends.

The paths for the certificates proxysql-ca.pem, proxysql-cert.pem, and proxysql-key.pem in the datadir cannot be configured.

I hope this helps you.

Thanks,

René

On Mon, Nov 11, 2024 at 8:34 AM Dwayne Rightler <drig...@gmail.com> wrote:

I configured ProxySQL to point to existing ca/cert/key paths, and it still used the self-signed certificate.  I tried to stop proxysql, remove the self-signed certificate files, and restart proxysql, but it just created a new self-signed certificate and used it.  My work around was to symlink the proxysql-ca.pem, proxysql-cert.pem, and proxysql-key.pem to the real certificates.  After that, proxysql presented the real certificate.  I have confirmed that the global variables for mysql-ssl_p2s_ca, mysql-ssl_p2s_cert, and mysql-ssl_p2s_key are set in both runtime and memory.   Any ideas?

--
You received this message because you are subscribed to the Google Groups "proxysql" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/proxysql/a963474e-2b36-4431-a02f-44950afde6ean%40googlegroups.com.

[Dwayne Rightler]

Interesting.  So my solution to create symlinks was a valid method in order to use a custom cert for front end connections. This is good to know.  Thanks for the explanation! 

[René Cannaò]

Hi Dwayne,

"So my solution to create symlinks was a valid method in order to use a custom cert for front end connections."

Yes, but I would like to highlight some details.

Using symlinks is a valid method in order to use custom certificates, but there is really no need to use symlinks: you can just place the files in the datadir with the correct names and correct permissions. ProxySQL even allows reloading these certificates with the PROXYSQL RELOAD TLS command without the need for a restart.

Nonetheless, you may want to have distinct certs/keys between the clients and proxysql, and between proxysql and the backends.

Please also note that starting ProxySQL version 2.6.0 we also support unique certificates for each individual backend, configurable in mysql_servers_ssl_params: https://proxysql.com/documentation/main-runtime/#mysql_servers_ssl_params

Thanks,

René