Front end SSL configuration
34 views
Skip to first unread message
James O'Brien
Apr 23, 2025, 12:24:48 PMApr 23
to proxysql
Hello,
I am struggling configuring ProxySQL to use SSL for front end connections with any files other than the self-signed certs generated by ProxySQL when mysql-have-ssl=true.
I have a 3 node ProxySQL cluster using SSL to an AWS RDS MySQL. In front of ProxySQL is an AWS Network Load Balancer, fronted by a DNS CName.
The cname is on a domain for which we have a wildcard cert, ca and key.
Using a ProxySQL generated SSL files and copied to all 3 nodes, I can connect through the load balancer with the mysql client and --ssl_mode=verify_ca --ssl_ca=/path/proxysql-ca.pem
Replacing proxysql-ca.pem, proxysql-key.pem and proxysql-cert.pem files with our own cert files, (which are used elsewhere perfectly fine), and restarting ProxySQL or reloading TLS, only results in error:0A000086:SSL routines::certificate verify failed
It doesn't work even when correcting directly to the proxySQL nodes, using the same files the Proxy apparently loaded.
Is there any way to check that ProxySQL has loaded the SSL files other than the log entry:
[INFO] SSL keys/certificates found in datadir (/var/lib/proxysql): loading them.
I also recall seeing a problem regarding ProxySQL not loading certificate bundles correctly, and only reading the first cert?
I have to admit, I've struggled with this and posting here is the last roll of the dice - its the final part of the config, everything else works fantastically and the business wants to move to ProxySQL, but we can't use it if we can't use SSL front and back. I really didn't expect to have such a time configuring SSL, a pretty standard part of any setup. I just hope I've done something silly.
Here's hoping,
The cname is on a domain for which we have a wildcard cert, ca and key.
Using a ProxySQL generated SSL files and copied to all 3 nodes, I can connect through the load balancer with the mysql client and --ssl_mode=verify_ca --ssl_ca=/path/proxysql-ca.pem
Replacing proxysql-ca.pem, proxysql-key.pem and proxysql-cert.pem files with our own cert files, (which are used elsewhere perfectly fine), and restarting ProxySQL or reloading TLS, only results in error:0A000086:SSL routines::certificate verify failed
It doesn't work even when correcting directly to the proxySQL nodes, using the same files the Proxy apparently loaded.
Is there any way to check that ProxySQL has loaded the SSL files other than the log entry:
[INFO] SSL keys/certificates found in datadir (/var/lib/proxysql): loading them.
I also recall seeing a problem regarding ProxySQL not loading certificate bundles correctly, and only reading the first cert?
I have to admit, I've struggled with this and posting here is the last roll of the dice - its the final part of the config, everything else works fantastically and the business wants to move to ProxySQL, but we can't use it if we can't use SSL front and back. I really didn't expect to have such a time configuring SSL, a pretty standard part of any setup. I just hope I've done something silly.
Here's hoping,
James.
René Cannaò
Apr 23, 2025, 6:47:18 PMApr 23
to James O'Brien, proxysql
Hi James,
Maybe you are hitting this issue: https://github.com/sysown/proxysql/issues/4877
Can you please try the current development branch v3.0 , and see if the issue is solved there?
Thanks,
René
--
You received this message because you are subscribed to the Google Groups "proxysql" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/proxysql/5cbbe166-6582-4f76-a972-05f0a21d3201n%40googlegroups.com.
James O'Brien
Apr 24, 2025, 7:20:44 AMApr 24
to proxysql
Hello,
I tried the dev v3 and updaed openssl:
proxysql --version
2025-04-24 11:18:00 [INFO] Using OpenSSL version: OpenSSL 3.5.0 8 Apr 2025
ProxySQL version 3.0.1-354-g05adfe5, codename Truls
2025-04-24 11:18:00 [INFO] Using OpenSSL version: OpenSSL 3.5.0 8 Apr 2025
ProxySQL version 3.0.1-354-g05adfe5, codename Truls
Using the cname or load balancer name or proxy node directly fails with SSL routines::certificate verify failed
I generated a self signed cert with openssl, added that to the proxy and I get the same cert failed error.
I copied a wild card cert from another DB server in the same domain and get the same error.
The only time it works is when using the cert, key and ca files generated by ProxySQL, which we cant use in Production.
We can't turn off the requirement as the .Net apps enforce SSL connections, which means the Proxy has to handle them for front end connections.
Any other suggestions would be gratefully received.
Any other suggestions would be gratefully received.
James
Javier Jaramago Fernandez
May 12, 2025, 7:25:28 AMMay 12
to James O'Brien, proxysql
On Thu, Apr 24, 2025 at 1:20 PM James O'Brien <james.o...@gmail.com> wrote:
Hello,
I tried the dev v3 and updaed openssl:proxysql --version
2025-04-24 11:18:00 [INFO] Using OpenSSL version: OpenSSL 3.5.0 8 Apr 2025
ProxySQL version 3.0.1-354-g05adfe5, codename TrulsUsing the cname or load balancer name or proxy node directly fails with SSL routines::certificate verify failedI generated a self signed cert with openssl, added that to the proxy and I get the same cert failed error.I copied a wild card cert from another DB server in the same domain and get the same error.The only time it works is when using the cert, key and ca files generated by ProxySQL, which we cant use in Production.We can't turn off the requirement as the .Net apps enforce SSL connections, which means the Proxy has to handle them for front end connections.
Any other suggestions would be gratefully received.
Hi James,
After this fix https://github.com/sysown/proxysql/pull/4904, there are no known issues regarding certificate verification. We also added new testing checking that ProxySQL serves the correct certificate chains in different scenarios,
so, if you are still experiencing this issue, and you have a reproduction scenario, please feel free to create an issue with the details for the certificate creation.
Thank you, best regards,
Javier.
Reply all
Reply to author
Forward
0 new messages