How configure SSL connection to MySQL with TLSv1.2?

Grafana
,
1

Hi, I am trying to connect to mariaDB secured by certificate. I am sure that the database is correctly configured, but when I try to pass client certificate and key to grafana for the connection always give me the following log:

logger=tsdb.mysql t=2024-04-09T10:41:36.87+0200 lvl=eror msg=“query error” err=“remote error: tls: handshake failure”

I am using:

  • Grafana version 8.4.4
  • MariaDB version 15.1 Distrib 10.7.5-MariaDB

This is the configuration I am using:

  • /etc/grafana/provisioning/datasource/file.yaml :
apiVersion: 1

deleteDatasources:
  - name: MySQL-SSL
    orgId: 1

datasources:
  - name: MySQL-SSL
    type: mysql
    url: 127.0.0.1:3306
    user: user
    database: DB_TEST
    jsonData:
      tlsAuth: true
      tlsAuthWithCACert: false
      tlsSkipVerify: true
    secureJsonData:
      tlsClientCert: $__file{/cert/client-cert.pem}
      tlsClientKey: $__file{/cert/client-key.pem}
      password: ***
    editable: false
  • /etc/mariadb/server.cnf
...
[mysqld]

require_secure_transport = ON
bind-address = 0.0.0.0
ssl-ca=/cert/ca-cert.pem
ssl-cert=/cert/server-cert.pem
ssl-key=/cert/server-key.pem
tls_version=TLSv1.2,TLSv1.3
ssl-cipher=DHE-RSA-AES256-SHA
...

I configure the same certificate with DBeaver and the connection is established with success. The only difference between Grafana and DBeaver is “requireSSL”.

Do you known how can I create a connection like this? I have to update Grafana version?

Thanks

2

How is Grafana/MySQL installed? Because you are referring 127.0.0.1 - are you really sure that your are using the same localhost for both?

3

hi @jangaraj, yes at the moment I have installed both Grafana and MariaDB in the same host. I have also tried to connect throw command line client and it worked:

mysql -u user -h 127.0.0.1 -P 3306 -p --ssl-cert=/cert/client-cert.pem --ssl-key=/cert/client-key.pem

Grafana doesn’t want to connect to DB throw SSL connection or maybe my configuration yaml is incomplete.

4

Ok, so there is no container. Don’t use provisioning. First configure datasource manually and when you know working setup, then use provisioning.

I don’t see any client cert config on mysql side, so don’t configure client cert on the Grafana side. Just configure root certificate, e. g.: