8

I have a MySQL Server set up to use SSL and I also have the CA Certificate.

When I connect to the server using MySQL Workbench, I do not need the certificate. I can also connect to the server using Python and MySQLdb on a Mac without the CA-certificate.

But when I try to connect using the exact same setup of Python and MySQLdb on a windows machine, I get access denied. It appears that I need the CA. And when I enter the CA, I get the following error

_mysql_exceptions.OperationalError: (2026, 'SSL connection error')

My code to open the connection is below:

db = MySQLdb.connect(host="host.name",    
                 port=3306,
                 user="user",         
                 passwd="secret_password",  
                 db="database", 
                 ssl={'ca': '/path/to/ca/cert'})

Could anyone point out what the problem is on a windows?

Improve this question

6 Answers 6

Reset to default
6

I just got the following to work with Python 2.7 and MySQLdb (1.2.4):

database = MySQLdb.connect(host='hostname', user='username', db='db_name',
    passwd='PASSWORD', ssl={'ca': '/path/to/ca-file'})

This is what you had so there must be something else going on here. I wonder if you have something either incorrect with the your local CA file or possibly the cert on the server? Can you get a copy of the CA file from the server?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
import pymysql

conn = pymysql.connect(host= # your host, usually localhost,
user = # your username,
passwd = # your password,
db = #your database name ,
ssl ={'ssl': r'path of your pem file'})
Improve this answer

1 Comment

Please add some description alongside with your code.
1

Try this

import ssl
from databases import Database
sslctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, 
    cafile='ca.pem')
sslctx.verify_mode = ssl.CERT_REQUIRED
sslctx.check_hostname = True
sslctx.load_cert_chain(certfile='client.crt', keyfile='pkey.key')

database = Database(DATABASE_URL, ssl=sslctx)

databases library provides support for PostgreSQL, MySQL, and SQLite. Also useful for async frameworks.

Improve this answer

Comments

1

I know this is old but according to the documentation MYSQL on object and its properties. What i tested on Python 3.8 this is the format I used

        Cnxn=  mysql.connector.connect(
        host="ip_address",
        user="usern",
        password='pass',
        database="database",
        port="port",
        ssl_ca=Path("/path/to/cert/ca.crt")
        
    )

As Side note I had to run this openssl on PEM file first as well and convert to a .crt file

openssl x509 -in ./Downloads/ca.pem -out ./Downloads/ca.crt -outform PEM
Improve this answer

Comments

0

Im using pymysql and I had some problems to connect using SSL keys and certs: for the "ssl" attribute I set up as a dictionary inside. Try as below:

db = MySQLdb.connect(host="host.name",
    port=3306,
    user="user",
    passwd="secret_password",
    db="database",
    ssl={'ssl':
            {'ca': '/path/to/ca/ca',
             'key': '/path/to/ca/key',
             'cert': '/path/to/ca/cert'
            }
         }
)
Improve this answer

2 Comments

Are you sure this isn't moving the options out of the way so that it stops using SSL?
@Andy Indeed, although it "solves" the error it disabled TLS entirely.
0

I know this is a bit old but I found a way to get this to work. Use pymysql instead of MySQLdb and write the connection as:

import pymysql

conn = pymysql.connect(user = 'user', password = 'passwd'
, database = 'db', host = 'hst', ssl = {'ssl' : {'ca': 'pathtosll/something.pem'}})

The point people miss (including myself) is that ssl needs to be a dictionary containing a key 'ssl' which has another dictionary as a value with a key 'ca'. This should work for you.

Improve this answer

1 Comment

I don't know what's the reason for this nested ssl dictionary, and even can't find in pymysql code why this should work. I just use one (not nested) dictionary as follows: pymysql.connect(..., ssl={'ca': 'ca.pem'}) and it works.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.