首页 > 数据库 >docker mysql8使用SSL及使用openssl生成自定义证书

docker mysql8使用SSL及使用openssl生成自定义证书

时间:2024-01-15 14:44:49浏览次数:44  
标签:自定义 mysql8 ca openssl server pem key mysql

修改my.cnf
vi /docker_data/mysql/conf/my.cnf
[client]
default-character-set=utf8mb4
[mysql]
default-character-set=utf8mb4
[mysqld]
character-set-server=utf8mb4
default_authentication_plugin=mysql_native_password
#增加ssl
ssl
保存,重启mysql容器

docker restart mysql-8.0.23
进入mysql容器

docker exec -it mysql-8.0.23 bash
容器登录mysql

root@600caf0ddad6:/# mysql -u root -p
查看是否开启ssl

mysql> show variables like '%ssl%';
+-------------------------------------+-----------------+
| Variable_name | Value |
+-------------------------------------+-----------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_cert | server-cert.pem |
| ssl_fips_mode | OFF |
| ssl_key | server-key.pem |
+-------------------------------------+-----------------+
have_openssl和have_ssl必须为YES
创建必须使用ssl登录的账号

CREATE USER 'x2'@'%' IDENTIFIED WITH mysql_native_password BY 'x2' require ssl PASSWORD EXPIRE NEVER;
grant all on *.* to 'x2'@'%';
FLUSH PRIVILEGES;
exit
查看容器里ssl证书位置,得出证书默认位置为:/var/lib/mysql/目录下

root@600caf0ddad6:/# find / -name ca.pem
/var/lib/mysql/ca.pem
由于安装的时候把/var/lib/mysql/目录映射到了宿主机的/docker_data/mysql/data/目录,因此我直接去这个目录下载证书到windows主机即可。

把这三个证书下载到桌面,用windows的mysql8去连接服务器的mysql,也可以用navicat

windows10 mysql8连服务器的mysql8
D:\softwareWork\mysql-8.0.23-winx64\bin>mysql --ssl-ca=C:\Users\x\Desktop/ca.pem --ssl-cert=C:\Users\x\Desktop/client-cert.pem --ssl-key=C:\Users\x\Desktop/client-key.pem --ssl-cipher=AES128-SHA -h 192.168.1.111 -u x2 -p
Enter password: **
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 8.0.23 MySQL Community Server - GPL

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql Ver 8.0.23 for Win64 on x86_64 (MySQL Community Server - GPL)

Connection id: 42
Current database:
Current user: [email protected]
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
出现SSL: Cipher in use is TLS_AES_256_GCM_SHA384表示成功

windows10 navicat连服务器的mysql8

使用openssl生成自定义证书
《MySQL官方文档openssl生成自定义证书》
由于安装的时候把/var/lib/mysql/目录映射到了宿主机的/docker_data/mysql/data/目录,因此我直接去这个目录生成证书,然后下载到windows主机即可。

cd /docker_data/mysql/data/

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

正确示例如下所示:

[root@node1 data]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
....................................+++
............................................................................................................................................................+++
e is 65537 (0x10001)
[root@node1 data]# openssl req -new -x509 -nodes -days 3600 \
> -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:aa
State or Province Name (full name) []:a
Locality Name (eg, city) [Default City]:a
Organization Name (eg, company) [Default Company Ltd]:a
Organizational Unit Name (eg, section) []:a
Common Name (eg, your name or your server's hostname) []:a
Email Address []:a
[root@node1 data]# openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
.....................................................+++
........................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:bb
State or Province Name (full name) []:b
Locality Name (eg, city) [Default City]:b
Organization Name (eg, company) [Default Company Ltd]:b
Organizational Unit Name (eg, section) []:b
Common Name (eg, your name or your server's hostname) []:b
Email Address []:b

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 data]# openssl rsa -in server-key.pem -out server-key.pem
writing RSA key
[root@node1 data]# openssl x509 -req -in server-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=/C=bb/ST=b/L=b/O=b/OU=b/CN=b/emailAddress=b
Getting CA Private Key
[root@node1 data]# openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
..............................................................+++
...+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:bb
State or Province Name (full name) []:b
Locality Name (eg, city) [Default City]:b
Organization Name (eg, company) [Default Company Ltd]:b
Organizational Unit Name (eg, section) []:b
Common Name (eg, your name or your server's hostname) []:c
Email Address []:b

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 data]# openssl rsa -in client-key.pem -out client-key.pem
writing RSA key
[root@node1 data]# openssl x509 -req -in client-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Signature ok
subject=/C=bb/ST=b/L=b/O=b/OU=b/CN=c/emailAddress=b
Getting CA Private Key

验证证书是否正确
[root@node1 data]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
查看证书的内容(例如,检查证书有效的日期范围)
openssl x509 -text -in ca.pem
openssl x509 -text -in server-cert.pem
openssl x509 -text -in client-cert.pem

标签:自定义,mysql8,ca,openssl,server,pem,key,mysql
From: https://www.cnblogs.com/x666-6/p/17965333

相关文章

  • 自定义注解实现接口入参字段校验
    使用的类javax.validation导入的包<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-validation</artifactId><version>xxxx.RELEASE</version></dependency>通过springb......
  • 自定义监控(kube-prometheus)
       ......
  • 定时任务及异步,自定义注解进行参数校验
    简单来说:浅拷贝:对基本数据类型进行值传递,对引用数据类型进行引用传递般的拷贝,此为浅拷贝深拷贝:对基本数据类型进行值传递,对引用数据类型,创建一个新的对象,并复制其内容,此为深拷贝。 如何在Spring/SpringBoot中优雅地做参数校验?springboot项目使用validation-api......
  • docker mysql8 忘记root密码解决方法
    使用docker搭建mysql,docker-compose.ymlversion:"2.1"services:mysql:image:mysql:8.0.35container_name:mysql8healthcheck:test:["CMD","mysqladmin","ping","-h","localhost&q......
  • delphi firemonkey使用 TListbox 自定义列表数据(二StyleBook方式实现)
    上一篇用设计好界面后用代码添加稍微有些麻烦,所以改为用StyleBook设计好后添加Item界面上添加ListBox后改Item高度为100右键添加一条空白记录,观察高度,并且方便自定义编辑style样式默认添加一条ListBoxItem1Style1的样式,添加Layout布局到这个样式下,并且添加需要的控件进去la......
  • SparkSQL 自定义聚合函数[强类型] & DSL
    本文的前提条件:SparkSQLinJava参考地址:UserDefinedAggregateFunctions(UDAFs)1.声明列实体类packagecn.coreqi.entity;importjava.io.Serializable;publicclassUserimplementsSerializable{privateStringusername;privateLongage;publi......
  • 使用 TListbox 自定义列表数据(界面显示)
    界面设计如下启动时默认值procedureTForm1.FormCreate(Sender:TObject);begin//启动时隐藏模板Layout1.Visible:=False;//开启隔行变色ListBox1.AlternatingRowBackground:=True;end;Listbox添加Item代码如下procedureTForm1.AddItem(name:string;......
  • 使用TVertScrollbox自定义列表数据
    界面布局设置如下创建一个过程添加新项目procedureTForm1.AddItem(name:string;age:Integer);varlayout:TLayout;begin//设置姓名标签的文本Label3.Text:=name;//设置年龄标签的文本Label4.Text:=IntToStr(age);//克隆Layout1,并将克隆得到......
  • SparkSQL 自定义聚合函数[强类型]
    本文的前提条件:SparkSQLinJava参考地址:UserDefinedAggregateFunctions(UDAFs)1.自定义实体类packagecn.coreqi.entity;importjava.io.Serializable;publicclassAverageimplementsSerializable{privatelongtotal;privatelongcount;publi......
  • SparkSQL 自定义聚合函数[弱类型]
    本文的前提条件:SparkSQLinJava代码如下1.自定义聚合函数packagecn.coreqi.udaf;importorg.apache.spark.sql.Row;importorg.apache.spark.sql.expressions.MutableAggregationBuffer;importorg.apache.spark.sql.expressions.UserDefinedAggregateFunction;import......