MySQL创建用户带SSL认证，并且有SUBJECT和ISSUER的时候，报错[Note] X509 subject mismatch:解决(二)

2014-11-24 13:33:12 · 作者: · 浏览: 1

标签: MySQL 创建用户 SSL 认证并且 SUBJECT ISSUER 时候报错 Note X509 subject mismatch: 解决

xxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com'

3 看到client端的issuer和server端的issuer mismatch，所以为了测试成功，直接修改grant语句吧，再次进行测试，如下，drop user然后再grant帐号

  drop user 'test'@'%';
  GRANT all privileges ON *.* TO 'test'@'%'
  IDENTIFIED BY 'test'
  REQUIRE SUBJECT '/CN=nuc-bbbmysql-client.nucleus.XX.com/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/S=California/C=US'
  and issuer '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com' ;

客户端登陆mysql db server,依然报错如下：

[ddddmysqlprd@XXnprdmydbctl client-cert]$   /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/ddddmysqlprd/client-cert/ca-cert.pem --ssl-cert=/home/ddddmysqlprd/client-cert/client-cert.pem --ssl-key=/home/ddddmysqlprd/client-cert/client-key.pem
ERROR 1045 (28000): Access denied for user 'test'@'XXnprdmydbctl.XXo.abn-iad.XX.com' (using password: YES)
再check error日志
  130722  9:29:15 [Note] X509 subject mismatch: 
  should be '/CN=nuc-bbbmysql-client.nucleus.XX.com/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/S=California/C=US' 
  but is '/C=US/ST=California/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=nuc-bbbmysql-client.nucleus.XX.com'

4 看到client与server的subject不一致，所以直接将提示error中的subject里面的替换下，再测试

 drop user，然后grant user；
   drop user 'test'@'%';
  GRANT all privileges ON *.* TO 'test'@'%'
  IDENTIFIED BY 'test'
  REQUIRE SUBJECT '/C=US/ST=California/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=nuc-bbbmysql-client.nucleus.XX.com'
  and issuer '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com' ;   drop user 'test'@'%';
  GRANT all privileges ON *.* TO 'test'@'%'
  IDENTIFIED BY 'test'
  REQUIRE SUBJECT '/C=US/ST=California/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=nuc-bbbmysql-client.nucleus.XX.com'
  and issuer '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com' ;

然后在客户端登陆

[ddddmysqlprd@XXnprdmydbctl client-cert]$   /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/ddddmysqlprd/client-cert/ca-cert.pem --ssl-cert=/home/ddddmysqlprd/client-cert/client-cert.pem --ssl-key=/home/ddddmysqlprd/client-cert/client-key.pem
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 25289
Server version: 5.5.25a-log MySQL XX RelXXse
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clXXr the current input statement.
mysql> 
mysql> 
mysql> 
mysql> 
mysql> exit
Bye

OK，i did it。

然后觉得同事给我的subject和issuer有问题，跟同事在server端创建的server key有出入，

最后检查问题出在windown环境和linux环境之间的差异，同事给的一些参数是window下的，所以linux下不识别，比如email参数等。

不过这些也没有关系，我们只要关注error日志，看报错信息然后依据报错信息一步步调试，都可以确保功能测试通过。

首页上一页 1 2 下一页尾页 2/2/2

上一篇 This version of MySQL doesn'..

下一篇 mysql数据库用工具和命令行实现导..