How configure SSL connection to MySQL with TLSv1.2?

Hi, I am trying to connect to mariaDB secured by certificate. I am sure that the database is correctly configured, but when I try to pass client certificate and key to grafana for the connection always give me the following log:

logger=tsdb.mysql t=2024-04-09T10:41:36.87+0200 lvl=eror msg=“query error” err=“remote error: tls: handshake failure”

I am using:

  • Grafana version 8.4.4
  • MariaDB version 15.1 Distrib 10.7.5-MariaDB

This is the configuration I am using:

  • /etc/grafana/provisioning/datasource/file.yaml :
apiVersion: 1

deleteDatasources:
  - name: MySQL-SSL
    orgId: 1

datasources:
  - name: MySQL-SSL
    type: mysql
    url: 127.0.0.1:3306
    user: user
    database: DB_TEST
    jsonData:
      tlsAuth: true
      tlsAuthWithCACert: false
      tlsSkipVerify: true
    secureJsonData:
      tlsClientCert: $__file{/cert/client-cert.pem}
      tlsClientKey: $__file{/cert/client-key.pem}
      password: ***
    editable: false
  • /etc/mariadb/server.cnf
...
[mysqld]

require_secure_transport = ON
bind-address = 0.0.0.0
ssl-ca=/cert/ca-cert.pem
ssl-cert=/cert/server-cert.pem
ssl-key=/cert/server-key.pem
tls_version=TLSv1.2,TLSv1.3
ssl-cipher=DHE-RSA-AES256-SHA
...

I configure the same certificate with DBeaver and the connection is established with success. The only difference between Grafana and DBeaver is “requireSSL”.

Do you known how can I create a connection like this? I have to update Grafana version?

Thanks

How is Grafana/MySQL installed? Because you are referring 127.0.0.1 - are you really sure that your are using the same localhost for both?

hi @jangaraj, yes at the moment I have installed both Grafana and MariaDB in the same host. I have also tried to connect throw command line client and it worked:

mysql -u user -h 127.0.0.1 -P 3306 -p --ssl-cert=/cert/client-cert.pem --ssl-key=/cert/client-key.pem

Grafana doesn’t want to connect to DB throw SSL connection or maybe my configuration yaml is incomplete.

Ok, so there is no container. Don’t use provisioning. First configure datasource manually and when you know working setup, then use provisioning.

I don’t see any client cert config on mysql side, so don’t configure client cert on the Grafana side. Just configure root certificate, e. g.: