Can't connect to MySQL datasource since switch to "--require_secure_transport=ON" mode

otakun85 · January 16, 2023, 9:55am

Hi Grafana Community,

some time ago our MySQL database changed its configuration and enabled “–require_secure_transport=ON” and we connect using TLS with our SQL tooling (for me IntelliJ).

Error message I get:
“logger=tsdb.mysql t=2023-01-16T10:32:40.287979533+01:00 level=error msg=“Query error” error=“Error 3159: Connections using insecure transport are prohibited while --require_secure_transport=ON.””

I can connect using IntelliJ just by enabling TLS/SSL checkox. No certificate or any other file is needed.

I tried the checkboxes in various constellations but none were successful. I didn’t add any information in the appearing boxes as this shouldn’t be necessary.

Can you please help me how I can configure this or is this a bug?

Thank you in advance

Using v9.3.2 (21c1d14e916)

usman.ahmad · January 16, 2023, 11:51am

Hi @otakun85,

Welcome to the community support forums !!

We are excited that you joined our OSS community. Please read about some of the FAQs in the community

I understand that your MySQL server is now secured by enabling this configuration parameter:

require_secure_transport=ON

Is the SSL configured to work with the remote host?

Might be good to check this link:

Let us know if this helps.

otakun85 · January 16, 2023, 1:15pm

Hello and thank you for the quick reply.

If I read the content of the link correctly than this describes how I can setup in general a mysql server and client to connect from with TLS.

Yet in my situation the server is already setup.

I configured following in MySQL Workbench or IntelliJ and it just works:
Host
username and password
(Use SSL if available, default setting)

So I’m wondering why it’s not working in Grafana data source setting?

usman.ahmad · February 28, 2023, 7:46pm

Updating this post as the same user @otakun85 also reported it at:

github.com/grafana/grafana

Can't connect to Mysql Datasource since switch to TLS only. Mysql Errorcode 3159

opened 08:56AM - 20 Feb 23 UTC

keiki85

needs more info datasource/MySQL

**What happened**: Since the database was switchted to TLS only mode "--require…_secure_transport=ON" I can't connect to it anymore with Grafana. MySQL clients like Workbench or IntelliJ are automatically using TLS and connecting without any issue. Error message: `“logger=tsdb.mysql t=2023-01-16T10:32:40.287979533+01:00 level=error msg=“Query error” error=“Error 3159: Connections using insecure transport are prohibited while --require_secure_transport=ON.””` **What you expected to happen**: I can connect to MySQL. **How to reproduce it (as minimally and precisely as possible)**: I'm not sure yet. I guess you need to configure a MySQL instance with said flag. **Anything else we need to know?**: I tried to get an answer in the forum but it didn't help https://community.grafana.com/t/cant-connect-to-mysql-datasource-since-switch-to-require-secure-transport-on-mode/79748 **Environment**: - Grafana version: 9.3.6 (taken from arch AUR) - Data source type & version: dunno where to get this information - MySQL DBMS: Report from IntelliJ connection: ``` MySQL (ver. 8.0.28-19.1) Case sensitivity: plain=exact, delimited=exact Driver: MySQL Connector/J (ver. mysql-connector-java-8.0.25 (Revision: 08be9e9b4cba6aa115f9b27b215887af40b159e0), JDBC4.2) ``` - OS Grafana is installed on: Arch Linux - User OS & Browser: Endeavor OS which is based on arch - Grafana plugins: No extra Thank you very much.

will help others to keep track and follow the update on resolution.

rmacian1 · February 26, 2024, 1:32pm

A year after the problem seems to persist, I’ve tried with latest 9.4.17 and I still can’t configure a datasource using secure transport.
In my case I’m using Azure Mysql Flexible Server. I’ve been able to configure the database for grafana using secure connection but the datasource is not able to connect. Always throws an error

[xorm] [info]  2024/02/26 13:29:32.122745 PING DATABASE mysql
logger=tsdb.mysql t=2024-02-26T13:29:32.152392869Z level=error msg="Query error" error="Error 3159: Connections using insecure transport are prohibited while --require_secure_transport=ON."
logger=context userId=1 orgId=1 uname=admin t=2024-02-26T13:29:32.15256794Z level=info msg="Request Completed" method=GET path=/api/datasources/uid/XW_8ALoIz/health status=400 remote_addr=127.0.0.1 time_ms=39 duration=39.459766ms size=91 referer=http://localhost:8080/grafana/datasources/edit/XW_8ALoIz/ handler=/api/datasources/uid/:uid/health

usman.ahmad · February 26, 2024, 3:42pm

Hi @rmacian1

Looking at the error message is not related to Grafana but to the MySQL in general as it says:

Connections using insecure transport are prohibited while --require_secure_transport=ON.

Now this can be easily fixed by MySQL config to turn require_secure_transport=OFF

But the drawback will be that it is insecure for production usage.

The alternative (more secure) method is to configure SSL/TLS so that the client connects MySQL server via SSL/TLS protocol config.

Here is a reference link

I hope this helps.

otakun85 · February 26, 2024, 3:58pm

It’s a grafana issue as specified in the github ticket.You are e.g. not using the “preferred mode” for mysql as most mysql clients do. And you allow TLS only when a certificate file is provided, which is actually optional.

But since the bug was not solved I stopped using it. I don’t wanna keep my own grafana patched source code just for this.

rmacian1 · February 26, 2024, 3:59pm

The problem is not in the server side. Indeed I am using the same MySQL as grafana backend , but the datasource to enable dashboards to connect to mysql does seems to contemplate an SSL connection without client authentication

rmacian1 · February 26, 2024, 4:00pm

That’s I am gonna do. I asked on the ticket too. I was only setting it up because of a mysql dashboard found that requires it. I will left it a part because even the latest version of grafana released suffers from the same issue.

usman.ahmad · February 27, 2024, 9:18am

Hi @otakun85 and @rmacian1

You are right, I looked into the above GitHub issue link and it is marked as a bug. I have added some more info to it.

usman.ahmad · February 27, 2024, 12:36pm

@here

Got some updates from the Engineering folks. Currently, they are working on a fix for the same error in PostgreSQL and then MySQL will be next.

Topic		Replies	Views
Creating a MySQL Datasource using TLS? Configuration	0	645	December 10, 2018
Connect to secure MySQL	1	2170	February 15, 2018
Connecting to MySQL Datasource using SSL TLS 1.2 MySQL mysql	2	1506	May 15, 2018
Question: Does xk6-sql support ssl-mode required and TLS Extensions	4	624	June 21, 2023
How configure SSL connection to MySQL with TLSv1.2? Grafana datasource , mariadb	3	682	April 9, 2024

Can't connect to MySQL datasource since switch to "--require_secure_transport=ON" mode

Related topics