Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MariaDB SSL does not work #76032

Open
williamdes opened this issue Jan 4, 2025 · 6 comments
Open

MariaDB SSL does not work #76032

williamdes opened this issue Jan 4, 2025 · 6 comments
Assignees
Labels
mariadb stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@williamdes
Copy link

Name and Version

bitnami/mariadb:11.4

What architecture are you using?

amd64

What steps will reproduce the bug?

version: "3.1"

services:
  db_server:
    image: ${SSL_DB:-bitnami/mariadb:11.4}
    environment:
      MARIADB_BIND_ADDRESS: 0.0.0.0
      MARIADB_USER: secure-user
      MARIADB_PASSWORD: "${TESTSUITE_PASSWORD:-my-secret-pw}"
      MARIADB_ROOT_PASSWORD: random-pass
      MARIADB_CLIENT_ENABLE_SSL: yes
      MARIADB_CLIENT_SSL_CA_FILE: /etc/phpmyadmin/ssl/ca-cert.pem
      MARIADB_CLIENT_SSL_CERT_FILE: /etc/phpmyadmin/ssl/server-cert.pem
      MARIADB_CLIENT_SSL_KEY_FILE: /etc/phpmyadmin/ssl/server-key.pem
    healthcheck:
      test: ["CMD", "mariadb-admin", "ping", "-uroot", "-prandom-pass"]
      start_period: 10s
      interval: 5s
      timeout: 60s
      retries: 10
    networks:
      testing:
        aliases:
         - phpmyadmin_testing_db
    tmpfs:
      - /var/lib/mysql:rw,noexec,nosuid,size=300m
    volumes:
      - ../ca-cert.pem:/etc/phpmyadmin/ssl/ca-cert.pem:ro
      - ../ca-key.pem:/etc/phpmyadmin/ssl/ca-key.pem:ro
      - ../server-cert.pem:/etc/phpmyadmin/ssl/server-cert.pem:ro
      - ../server-key.pem:/etc/phpmyadmin/ssl/server-key.pem:ro

I login with the CLI to the user, it should throw me out since I do not use SSL.

What is the expected behavior?

Make it work and require ssl for clients.

What do you see instead?

It seems to have been added to 1b9e728
Bu no code to manage the new envs

Additional information

No response

@williamdes williamdes added the tech-issues The user has a technical issue about an application label Jan 4, 2025
@github-actions github-actions bot added the triage Triage is needed label Jan 4, 2025
@danthonywalker
Copy link

danthonywalker commented Jan 6, 2025

This seems to also be an issue with the MySQL image.
I have this output in the logs showing it's using the ca.pem file, but I am using a different CA file (named ca.crt)

mysql 20:15:06.34 INFO  ==> ** Starting MySQL **
2025-01-06T20:15:06.361077Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2025-01-06T20:15:06.361212Z 0 [Warning] [MY-010139] [Server] Changed limits: max_open_files: 4096 (requested 9010)
2025-01-06T20:15:06.361218Z 0 [Warning] [MY-010142] [Server] Changed limits: table_open_cache: 1543 (requested 4000)
2025-01-06T20:15:06.796782Z 0 [System] [MY-010116] [Server] /opt/bitnami/mysql/bin/mysqld (mysqld 9.0.1) starting as process 29
2025-01-06T20:15:06.807662Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2025-01-06T20:15:07.160853Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2025-01-06T20:15:07.460847Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2025-01-06T20:15:07.460898Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2025-01-06T20:15:07.503576Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2025-01-06T20:15:07.503762Z 0 [System] [MY-010931] [Server] /opt/bitnami/mysql/bin/mysqld: ready for connections. Version: '9.0.1'  socket: '/opt/bitnami/mysql/tmp/mysql.sock'  port: 3306  Source distribution.

And SSL isn't set via mysql --help:

ssl-ca                                                 (No default value)
ssl-capath                                             (No default value)
ssl-cert                                               (No default value)
ssl-cipher                                             (No default value)
ssl-key                                                (No default value)

It is evident the env is set:

~ $ docker exec -it mysql /bin/sh
$ echo "$MYSQL_CLIENT_SSL_CA_FILE"
/run/tls/ca.crt

But even in phpMyAdmin it doesn't show SSL being enabled.

@williamdes
Copy link
Author

But even in phpMyAdmin it doesn't show SSL being enabled.

I am working on phpmyadmin/docker#448 (reason why I did discover the bug here)
Maybe comment there is you think there is a phpMyAdmin issue

@danthonywalker
Copy link

I don't think it's a phpMyAdmin issue, the server itself reports SSL isn't enabled via the help command. I was just saying phpMyAdmin also backs up this fact.

@LordRobinCbz
Copy link

Hello,
I am from the orginal PR mentionned by @williamdes. First of all, many thanks for your time.

I can reproduce the bug with the Docker image to during testing mTLS with it.
No error when configuration edited manualy inside the Dockerfile.

just for information

Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Jan 24, 2025
@williamdes
Copy link
Author

Nasty bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
mariadb stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Development

No branches or pull requests

4 participants