SSL connection to mysql database via remote site

[jaysaurus]

Hiya,

I have a django instance I'd like to get talking to the DB on heliohost over SSL. 

I set up a let's encrypt certificate and I've found the CA/Secret-key/Certificate info on plesk.  What I don't understand is how to make that talk via django.

I've tried copying the CA info into a CA.pem on my machine and entering the path to that CA.pem into my settings.py as intended.

but I just get back: "django.db.utils.OperationalError: (2026, 'SSL connection error: error:0A000086:SSL routines::certificate verify failed')"

I note, that in my plesk there are 2 CA files one immediately after the other, all in one box in the UI. I'm not sure whether that should or shouldn't be the case, nor which I ought to use if either.

I've been going round in circles with GPT trying to figure this stuff out and I'm completely stumped.  Any suggestions please?

[Krydos]

MySQL or PostgreSQL?

[jaysaurus]

mysql

[Krydos]

What host are you using? Is the Django app running on our servers?

[jaysaurus]

no, it's on render saves me a lot of stress as I can deploy directly from gitlabs over ci/cd, but I can supply stuff like .pem to it using private files etc.

you have an open way of communicating with mysql and I'm hosting that via Tommy

[jaysaurus]

oh, that's also the same issue on my machine. running ubuntu 22.

[jaysaurus]

So I guess my question is: Is there any config I need to do on the Heliohost side or is it simply a case of copying the CA certificate(s) from the Plesk, pasting it/them in a ca.pem and then adjusting my respective framework to reference the ca?  (meaning I probably need to ask render what hoops I have to jump through to make it talk on their server). or do I need to generate some client certificates or something based on what I have setup with you?

[Krydos]

1 hour ago, Krydos said:

What host are you using?

What host are you using? 65.19.141.77? 2001:470:1:1ee::2002? tommy2.heliohost.org? Your domain? Something else?

[jaysaurus]

yeah my heliohost domain so say it was "foo"

foo.helioho.st

[Krydos]

The MySQL server doesn't use the SSL certificate for your domain. MySQL's SSL is configured with the certificate for the domain tommy2.heliohost.org. Use that for your host.

[jaysaurus]

ok, but in which case, where am i deriving my SSL details from?

The auto-ssl setup via let's encrypt refers to the aforementioned `foo.helioho.st` and not tommy2.heliohost.org ... i've tried supplying that to my config. If I remove the 'ssl' property the site connects.  Do I need to supply anything else?

And hey, thanks for all the help thus far, it's enormously appreciated

(config in next post, it was playing up on this post)

 

[jaysaurus]

ugh well that rendered badly if you can't read that:

[Krydos]

Try this https://krydos.heliohost.org/ca.txt

[jaysaurus]

No joy,

django.db.utils.OperationalError: (2026, 'SSL connection error: error:0A000086:SSL routines::certificate verify failed')

But in fact, i think there's more to this.

Normally you would need to generate a new private key and certificate for the client. This typically involves the following steps:

1. Generate a new private key for the client.
2. Create a certificate signing request (CSR) for the new private key.
3. Submit the CSR to a certificate authority (CA) to get it signed, resulting in a new client certificate.

thus my config needs:

'ssl': {
              'ca': os.path.join(BASE_DIR, 'ca.pem'),
              'cert': os.path.join(BASE_DIR, 'cert.pem'),
              'key': os.path.join(BASE_DIR, 'key.pem'),
            }


and I can't generate those client certificates because I can't vouch for ownership of the domain: it's your domain. 

After a bunch of conversations with Chat GPT, this is the take home:

"typically in a hosting arrangement, the hosting provider owns and controls the physical server and the associated domain. As a customer, you’re renting space on their server to host your website or application. However, you usually have the ability to manage your own content and sometimes certain configurations within your rented space.

If you need to generate SSL certificates for a domain that’s controlled by your hosting provider, you would typically need to go through them or use a service they provide. This is because generating a certificate for a domain requires proving control over that domain, which is something the hosting provider would be able to do."

So is there some avenue through plesk to get my hands on a client key and certificate? Cos I don't think there's any way for me to do it with what I found on there... the key and certificate on the plesk page are - in all likelihood - the server key and certificate and SSL is asymmetric.

[Krydos]

Well, I think the guides you're following assume that the server certificate is self-signed, which explains why you think you need to include the ca.pem and everything. Our certificate is issued by Let's Encrypt (not self-signed) and any modern OS should accept secure connections to it without needing the chain.

And no, we're not going to give you the key because then the SSL is compromised and actually less secure than not using SSL at all.