Issue MySQL TLS enabled: The localhost is not compatible with enabling a secure connection.

[jsnrkd]

Server operating system version

Ubuntu 18.04.6 LTS

Plesk version and microupdate number

18.0.52 Update #3,

Hi, I'm attempting to enable MySQL secure connection on 18.0.52 but when I edit panel.ini with tls.enable to true Plesk gives the following fatal error "The localhost is not compatible with enabling a secure connection." This plesk instance is connected to a localhost instance and one remote instance of MySQL 5.7. My best guess is that the fatal is displayed because the two DBs mentioned don't have require_secure_transport=ON configured yet BUT it's not obvious what the error message is referring to. Any tips?


Panel.ini edit:
[database]
tls.enable = true;

 

[Peter Debik]

Could you please provide a screenshot where you see the phrase "The localhost is not compatible with enabling a secure connection". I have not seen it before and I also do not find any mentions on the Internet on it. Are you sure that this is the exact error phrase that is displayed? Where is this displayed?

 

[Peter Debik]

the two DBs mentioned don't have require_secure_transport=ON configured

That is a global setting you need to have in the my.cnf configuration file, else the database server won't use TLS. It is not a setting related to a set of databases or a single database.

 

[jsnrkd]

Thanks Peter - I will work through my.cnf config and report back. In the meantime here is a screenshot of the error. In order to restore Plesk operability, I must set tls.enable to false through

plesk conf panel.ini

 

[jsnrkd]

Hi, I have enabled the mysql configuration on localhost (127.0.0.1) to require secure connections and verified within mysql /s but still get the fatal error from Plesk when tls.enable =true. :

[mysqld]
 ssl-ca=/etc/mysql/certs/ca-cert.pem
 ssl-cert=/etc/mysql/certs/server-cert.pem
 ssl-key=/etc/mysql/certs/server-key.pem
 require_secure_transport=ON
 tls_version=TLSv1.2

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.42, for Linux (x86_64) using  EditLine wrapper

Connection id:          201
Current database:
Current user:           admin@localhost
SSL:                    Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.42-0ubuntu0.18.04.1 (Ubuntu)
Protocol version:       10
Connection:             127.0.0.1 via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:               3306
Uptime:                 5 min 53 sec

 

[Peter Debik]

@jsnrkd, thank you for providing the additional information.

I was under the impression that with completion of the feature request "Secure MySQL connections" this year we did add that kind of TLS protection, but after advice of a colleague I learned that TLS is only possible for databases hosted on other servers, so that the data transfer between such other servers and the Plesk server is protected through TLS.

As a matter of fact, for local connections, TLS makes no sense anyway. This is also mentioned in the manual Securing Connections to Remote MySQL Database Servers.

But what I am also missing is the possibility to encrypt connections between remote clients and the database server on the Plesk server. At this time, it does not seem possible to do that. I have asked internally whether we can put the feature request back onto the agenda. If not, I'll add a new feature request regarding encryption of client-to-server connections.

 

[jsnrkd]

Hi Peter, I realize you're correct that the localhost MySQL TLS connection is unnecessary that I configured. The error code is interesting that it references the localhost as not compatible with enabling a secure connection though. Do you have any idea what context that localhost error may refer to if it's not the localhost MySQL? I'd prefer to enable the tls.enable panel.ini config.

TLS is only possible for databases hosted on other servers, so that the data transfer between such other servers and the Plesk server is protected through TLS.

This is my goal, to attach a remote MySQL database within my virtual network that requires_secure_transport=on. I've found that I can do that if require_secure_transport=off then later toggled to "on" after Plesk makes the connection but this does make PHPmyAdmin show warnings saying it will now modify the connection to include SSL.

 

[Peter Debik]

@jsnrkd Please vote for the new feature request: Encrypt mysql connections

 

[jsnrkd]

Thanks @Peter Debik - I see the issue you raise with that feature request although I don't think that's the setup I'm describing.

To clarify my setup:

I have an Ubuntu VM (1) hosting Plesk and a localhost MySQL instance. I also have another Ubuntu VM (2) running only MySQL that Plesk is configured to connect as the default database. My goal is to set requires_secure_transport=on on VM 2 and have Plesk connect to it using tls.enabled=true. Once successful, I intend to attach a 3rd database to this Plesk instance which is an Azure Flex MySQL instance with the intention of replacing VM (2) after testing.

 

[Peter Debik]

I can only encourage you to add your description to the User Voice request. It is best placed there, because later, when a feature is taken into consideration, staff will first look at the description and comments of the request. They will normally not search all of the forum for similar descriptions.

 

[jsnrkd]

Thank you Peter - however I'm not looking for assistance in the new feature request you created but rather the existing feature that was recently added of MySQL secure connection.

 

[Kaspar]

@jsnrkd your scenario (securing the connection of a remote database server) should fit the available feature in Plesk. I am not entirely sure why this doesn't work for you. Could post the details of each step you took the configure both servers (Plesk server and remote DB server)? That way I can see if I can replicate the issue.

 

[jsnrkd]

@Kaspar
Steps: Following these Securing Connections to a Remote MySQL Database Server :
Environment (Both machines same VNET):

1. VM 1 - Ubuntu 18.04.6 LTS - VM 1 Plesk/MySQL 5.7.* (mysql added on localhost to Plesk)
2. VM 2 - Ubuntu 18.04.6 LTS - VM 2 MySQL 5.7.* (this remote mysql instance also added to Plesk VM 1 DB config) (has been attached for many years)

1) Configure
VM 2 - Configure TLS/SSL by generating certificates and configuring MySQL

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

VM 2 Modify [mysqld] params

ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
tls_version=TLSv1.2
require_secure_transport=ON

Test SSL connection from VM1 (Plesk) to VM2 (remote MySQL)

 mysql --host={redacted} -u{redacted} -p --ssl-mode=required

Confirm connection

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.42, for Linux (x86_64) using  EditLine wrapper

Connection id:          10
Current database:
Current user:           {redacted}
SSL:                    Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         (Ubuntu)
Protocol version:       10
Connection:             {redacted IP} via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:               3306
Uptime:                 43 sec

In Plesk on VM1, edit panel.ini with "sudo plesk conf panel.ini" and append

[database]
tls.enable = true;

Plesk is now inoperable stating "The localhost is not compatible with enabling a secure connection."

Although stated in the Plesk docs as unnecessary, I've also tried the configuration by requiring SSL on the localhost instance of MySQL.

 

[Peter Debik]

The article refers to steps required if your database is not hosted on the Plesk server.

 

[Kaspar]

The article refers to steps required if your database is not hosted on the Plesk server.

If I am understanding this topic correctly that's exactly what @jsnrkd is trying to accomplish

@jsnrkd thank you for posting the steps you took to configure the servers. What I am missing is the step to add the remote database to Plesk (via Tools & Settings > Database Servers). Just to be sure, did also add/connect the remote database to Plesk?

 

[Peter Debik]

Yes, but the problem is that the setting also applies to the local database, and that won't work for the Plesk psa database. The feature was added in the scope of HA cluster that became available at the beginning of 2023. For that configuration, the psa database is not located on the Plesk server, but on another server.

 

[Kaspar]

I see. It's a bit confusing as the Plesk documentation page makes it seem like this feature is available for any remote database. Regardless whether or not a local database is used.

 

[jsnrkd]

Okay, that makes sense. The centralized DB announcement says I can't migrate the local PSA databases by converting an existing Plesk installation. So, the solution for me and those who want to use MySQL Secure Connections where the Plesk instance runs on a local PSA DB is to create and migrate to a new Plesk instance where the PSA DB is hosted in the remote database instance therefore eliminating the MySQL localhost error when TLS is enabled in panel.ini. Right? @Peter Debik

For the Plesk documentation, there should be a large callout at the top saying "This will not work for non-centralized Plesk DB installs" instead of "If your Plesk only uses local database server(s), there is no need to secure connections to them." and "If you have one or more remote MySQL database servers registered in Plesk, we recommend that you secure connections between them and Plesk using an SSL/TLS certificate" because I am using remote db servers albeit also with the default instance on localhost for PSA.

 

[Kaspar]

Okay, that makes sense. The centralized DB announcement says I can't migrate the local PSA databases by converting an existing Plesk installation. So, the solution for me and those who want to use MySQL Secure Connections where the Plesk instance runs on a local PSA DB is to create and migrate to a new Plesk instance where the PSA DB is hosted in the remote database instance therefore eliminating the MySQL localhost error when TLS is enabled in panel.ini. Right? @Peter Debik

Yes, that would be the approach.

 

[mow]

Doesn't plesk connect to the local database via socket? Would make sense that's not compatible with TLS.