[Teleport Database Proxy service to self-hosted MySQL] ERROR 1105 (HY000): Database cannot validate client certificate generated by database service: io.ReadFull(header) failed. err remote error: tls: unknown certificate authority: connection was bad.

[kuanrcl]

Hi,
I am getting error trying to connect to a database using this command "tsh connect mysql-server --db-user=admin --db-name=dbname". Both the teleport and MySQL server are created with the same self-signed CA certificate. In theory, the MySQL server should be able to authenticate the client certificate presented by the Database proxy service because the identical self-signed CA certificate is used.
What am I missing? Please help?

Thanks
Ryan

[kuanrcl]

I was using the Teleport CA certificate generated by tctl auth --type=db command, and I used this CA certification to generate the server certificate for MySQL.

[webvictim]

The self-hosted MySQL docs take you through how to set up MySQL to trust Teleport-issued certificates here: https://goteleport.com/docs/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted/#step-34-configure-mysqlmariadb

Can you share the MySQL mysql.cnf config file that you edited as shown in the docs?

[kuanrcl]

Hi, I managed to resolve this by adding Teleport CA into the CA certificate of MySQL. All good now! Thanks Ryan [signature_373801304] Ryan Kuan (关俊廉) | HeatWave Data Architect MySQL Solution Engineering, Center of Excellence MySQL Global Business Unit Phone: 603 2299 3355 | Mobile: 6019 200 5220 Oracle JAPAC From: Gus Luxton ***@***.***> Date: Friday, 10 January 2025 at 3:52 AM To: gravitational/teleport ***@***.***> Cc: Ryan Kuan ***@***.***>, Author ***@***.***> Subject: [External] : Re: [gravitational/teleport] [Teleport Database Proxy service to self-hosted MySQL] ERROR 1105 (HY000): Database cannot validate client certificate generated by database service: io.ReadFull(header) failed. err remote error: tls: unknown c... The self-hosted MySQL docs take you through how to set up MySQL to trust Teleport-issued certificates here: (https://goteleport.com/docs/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted/#step-34-configure-mysqlmariadb<https://urldefense.com/v3/__https:/goteleport.com/docs/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted/*step-34-configure-mysqlmariadb__;Iw!!ACWV5N9M2RV99hQ!NIUhhIR4ASSqP2hfqRVObTDrW8Xk8VIvUUimJw04Fdi6S8H8hLdK_bqAiPxS0tXOjcBkD62kFMK7V52SNMomsUS_$> Can you share the MySQL mysql.cnf config file that you edited as shown in the docs? ― Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/gravitational/teleport/discussions/50568*discussioncomment-11790595__;Iw!!ACWV5N9M2RV99hQ!NIUhhIR4ASSqP2hfqRVObTDrW8Xk8VIvUUimJw04Fdi6S8H8hLdK_bqAiPxS0tXOjcBkD62kFMK7V52SNDOKDbMC$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ADR7DGE7RUDBYX56DS5VDND2J3HRJAVCNFSM6AAAAABUEYEPGWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNZZGA2TSNI__;!!ACWV5N9M2RV99hQ!NIUhhIR4ASSqP2hfqRVObTDrW8Xk8VIvUUimJw04Fdi6S8H8hLdK_bqAiPxS0tXOjcBkD62kFMK7V52SNIdfmNEU$>. You are receiving this because you authored the thread.Message ID: ***@***.***>