The Wayback Machine - https://web.archive.org/web/20200601103452/https://github.com/PyMySQL/PyMySQL/issues/430
Skip to content

/ PyMySQL

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL certificate verify failed #430

Closed
m0x3 opened this issue Feb 22, 2016 · 4 comments
Closed

SSL certificate verify failed #430

m0x3 opened this issue Feb 22, 2016 · 4 comments

Comments

@m0x3
Copy link

@m0x3 m0x3 commented Feb 22, 2016

Hi! python 3.4.3, pymysql 0.6.7 and 0.7.1, mysql 5.5.23 and 5.5.4x
Can't connect to mysql with ssl option.
With mysql workbench and with mysql-client secure connection works fine.
I have tested it on two mysql servers on debian and windows

Here is code and explanations

make certs

openssl genrsa 2048 > ca-key.pem; \
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem; \
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem; \
openssl x509 -sha1 -req -in server-req.pem -days 730  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem; \
openssl rsa -in server-key.pem -out server-key.pem; \
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem; \
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem; \
openssl rsa -in client-key.pem -out client-key.pem;

user create

CREATE DATABASE dbname;
GRANT ALL PRIVILEGES ON dbname.* TO 'u1'@'%' IDENTIFIED BY '12345' REQUIRE SSL;
FLUSH PRIVILEGES;

code

from __future__ import print_function
import pymysql

#conn = pymysql.connect(host='localhost', port=3306, user='root', passwd='', db='mysql')
conn = pymysql.connect(host='localhost', port=3306, user='u1', passwd='12345', db='dbname', ssl = {'key': 'ssl/client-key.pem', 'cert': 'ssl/client-cert.pem', 'ca': 'ssl/ca-cert.pem'})

cur = conn.cursor()
#cur.execute("SELECT Host,User FROM user")
cur.execute("SHOW TABLES")

print(cur.description)
print()
for row in cur:
    print(row)
cur.close()
conn.close()

error

Traceback (most recent call last):
  File "C:\Python34\lib\site-packages\pymysql\connections.py", line 851, in connect
    self._request_authentication()
  File "C:\Python34\lib\site-packages\pymysql\connections.py", line 1017, in _request_authentication
    ca_certs=self.ca)
  File "C:\Python34\lib\ssl.py", line 890, in wrap_socket
    ciphers=ciphers)
  File "C:\Python34\lib\ssl.py", line 580, in __init__
    self.do_handshake()
  File "C:\Python34\lib\ssl.py", line 807, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:/Users/User/Py/prjct/test.py", line 24, in <module>
    conn = pymysql.connect(host='localhost', port=3306, user='u1', passwd='12345', db='dbname', ssl = {'key': 'ssl/client-key.pem', 'cert': 'ssl/client-cert.pem', 'ca': 'ssl/ca-cert.pem'})
  File "C:\Python34\lib\site-packages\pymysql\__init__.py", line 88, in Connect
    return Connection(*args, **kwargs)
  File "C:\Python34\lib\site-packages\pymysql\connections.py", line 657, in __init__
    self.connect()
  File "C:\Python34\lib\site-packages\pymysql\connections.py", line 882, in connect
    raise exc
pymysql.err.OperationalError: (2003, "Can't connect to MySQL server on 'localhost' ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600))")
@m0x3
Copy link
Author

@m0x3 m0x3 commented Feb 22, 2016

I'm missed this part of the instructions:

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.

When OpenSSL prompts you for the Common Name for each certificate, use different names.
Sorry for issue.
@m0x3 m0x3 closed this Feb 22, 2016
@m0x3
Copy link
Author

@m0x3 m0x3 commented Feb 22, 2016

It helps and raise new errors:
first - dhkey not enought leght, and i'm update test mysql server to last 5.7.11
it helps and raise new error that common name not match localhost
and i have regenerate certificates with new common name localhost

AND it shows me again error - ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600))
@m0x3 m0x3 reopened this Feb 22, 2016
@methane
Copy link
Member

@methane methane commented Feb 22, 2016

The verification is OK with MySQL client other than PyMySQL?

It seems not a bug of PyMySQL, but generic SSL trouble.
I'm not familiar with SSL. I haven't setupped MySQL with SSL. So I can't give you any advice.
Stackoverflow may be better place for you.
@methane methane closed this May 17, 2016
@bgriffen
Copy link

@bgriffen bgriffen commented Feb 18, 2019
edited

I also posted this on StackOverflow. I believe there is some version conflict issue related issue with using mysql-python. I managed to connect via peewee (using ssl) using the following Anaconda/Pip versions:

    python                    2.7.15               h9bab390_6
    pymysql                   0.9.3                    py27_0 
    mysql-connector-c         6.1.11               h597af5e_0  
    mysql-connector-python    8.0.12           py27haf6c83e_0
    peewee                    3.8.2                    pypi_0    pypi

For completeness I connect to a Google Cloud Instance using SSL via:

import pewee as pw
 from os.path import expanduser
 
 home = expanduser("~")
 
 perms = {'key': home+'/ssl/client-key.pem', 
          'cert': home+'/ssl/client-cert.pem', 
          'ca': home+'/ssl/server-ca.pem',
          'check_hostname': False}
 
 mysql_db = pw.MySQLDatabase(database=os.environ['GCP_DBNAME'],
                             host=os.environ['GCP_HOST'],
                             user=os.environ['GCP_USER'],
                             passwd=os.environ['GCP_PASS'],
                             ssl=perms)

Hope this helps anyone else that had the same error. The updated versions also seem to work with Python 3.5. I'm on Ubuntu 16.04.
@teej teej mentioned this issue Apr 19, 2019
Open
@moomindani moomindani mentioned this issue Feb 25, 2020
Open
@nakagami nakagami mentioned this issue Jun 1, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@methane @bgriffen @m0x3
You can’t perform that action at this time.