Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pdns-mysql:4.9-alpine - SSL is required #147

Closed
pkhamre opened this issue Jan 2, 2025 · 13 comments
Closed

pdns-mysql:4.9-alpine - SSL is required #147

pkhamre opened this issue Jan 2, 2025 · 13 comments

Comments

@pkhamre
Copy link

pkhamre commented Jan 2, 2025

I pulled the latest pdns-mysql:4.9-alpine image that changes from the mysql- to the mariadb-binary, but now I get the following error when powerdns is connecting to my MariaDB 10.11 instance.

Can't find any client-side settings for TLS.

powerdns-1 | ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
powerdns-1 | MySQL is unavailable - sleeping

Any suggestion on how to solve this?

I would prefer to be able to set --skip-ssl on the mariadb-client side.
@pschiffe
Copy link
Owner

pschiffe commented Jan 3, 2025

Hello, thanks for the bug report.

You can now set MYSQL_CLIENT_EXTRA_PARAMS='--skip-ssl' env var for pdns-mysql container, updated images should be available on docker hub now.

The mysql command in linux distros is now just a symlink to mariadb. Reason for this issue is that alpine base image updated mariadb client program to 11.x, which requires ssl on by default. This works fine when paired with mariadb 11.x server, however 10.x doesn't have ssl enabled by default, so it has to be disabled on client or enabled on server explicitly.

@silverwind
Copy link

Also ran into a similar issue against MySQL 8.4:

ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain
MySQL is unavailable - sleeping

Adding MYSQL_CLIENT_EXTRA_PARAMS='--skip-ssl' fixed it. Maybe it should be made the default.

@pschiffe pschiffe pinned this issue Jan 13, 2025
@pschiffe
Copy link
Owner

Hi @silverwind,

if your mysql server is on a different host, you can mount the CA of self-signed mysql server cert in the pdns-mysql container and use --ssl-ca=/path/to/ca param, or at least --disable-ssl-verify-server-cert to disable cert verification but keeping the connection encrypted.

If the mysql server is on the same host, it's better to --skip-ssl.

I've pinned this issue, but I'm hesitant to make --skip-ssl default as it may create a less secure or unwanted configuration in some situations.

@silverwind
Copy link

silverwind commented Jan 13, 2025
edited
Loading

Thanks. I'll be using MYSQL_CLIENT_EXTRA_PARAMS=--disable-ssl-verify-server-cert as that's definitely better than completely disabling it. In my case, I use this image only during development with two docker containers, so it's acceptable. But I do agree setting up a CA would be best, especially for production.

@pkhamre
Copy link
Author

pkhamre commented Jan 13, 2025

@silverwind I want to add here that I ran into this problem running pdns-mysql with mariadb 10.6.

But after I upgraded mariadb to the same version defined in the docker-compose-file here, mariadb:11-ubi, the problem I described in this issue disappeared.

Ref: https://github.com/pschiffe/docker-pdns/blob/master/docker-compose-mysql.yml

@silverwind
Copy link

silverwind commented Jan 13, 2025
edited
Loading

I don't think our issues are related, but mine started to appear today with mysql:8.2 and mysql:8.4 docker images, the same images worked a few weeks earlier, so I suspect a change from mysql triggered my issue, but I have not investigated further because --disable-ssl-verify-server-cert does what I need, for now.

@phoenixtechnam
Copy link

Hi, my pdns-mysql stopped working today after a casual update. The docker logs show

ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
MySQL is unavailable - sleeping

Im using mariadb:11.2.4 (not updated)

Adding MYSQL_CLIENT_EXTRA_PARAMS='--skip-ssl' to my pdns.env did not help.

Pls assist

@pschiffe
Copy link
Owner

Which pdns-mysql image are you using? Can you provide you tag and maybe hash as well?

@phoenixtechnam
Copy link

pschiffe/pdns-mysql:alpine@sha256:62c497c61a6cf67866e96b7b2863162fc6ad627f9c3992d851623fb68bbc8ddb

@pschiffe
Copy link
Owner

Could you exec into running container and verify with env command that MYSQL_CLIENT_EXTRA_PARAMS is there?

@phoenixtechnam
Copy link

Yes, confirmed

Image

@pschiffe
Copy link
Owner

I can confirm that when using mariadb:11.2.4 as DB I see the error as well: ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

However, providing MYSQL_CLIENT_EXTRA_PARAMS='--skip-ssl' fixed it for me.

Anyway, I've added bash debug output with DEBUG=1 env var, can you update the image, try it and paste log output? Remove passwords.

@phoenixtechnam
Copy link

LOG OUTPUT:

mariadb -h pdns_db -P 3306 -u root ''"'"'--skip-ssl'"'" -pXXXXXXXXXXXXXX -e ';'

after seeing the multitude of quotation marks in the logs I changed
MYSQL_CLIENT_EXTRA_PARAMS='--skip-ssl'
to
MYSQL_CLIENT_EXTRA_PARAMS=--skip-ssl

in my .env file and it works again now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@silverwind @pkhamre @pschiffe @phoenixtechnam