This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can't connect to MySQL Instance using TLS/SSL with the generated certificates in Node.JS

Posted on 08-16-2023 12:43 AM
Joe8
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Im trying to connect to a GCP MySQL database in node.js with TLS/SSL however receive the following error:

Hostname/IP does not match certificate's altnames: IP: xx.xx.xxx.xx is not in the cert's list

Any ideas?

0 1 2,547
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

The error message "Hostname/IP does not match certificate's altnames: IP: xx.xx.xxx.xx is not in the cert's list" means that the hostname or IP address you are using to connect to the MySQL database does not match the hostname or IP address in the certificate's Subject Alternative Names (SANs). SANs are additional hostnames or IP addresses for which the certificate is valid, in addition to the primary Common Name (CN).

There are a few things you can try to fix this error:

  1. Make sure that the hostname or IP address you are using is correct.You can find the hostname or IP address of your MySQL database in the Cloud SQL console.
  2. If you are using a hostname, make sure that the hostname is resolved to the correct IP address. You can use the pingcommand to check the hostname resolution.
  3. If you are using an IP address,make sure that the IP address is in the list of SANs in the certificate.You can view the certificate in the Cloud SQL console or using tools like openssl.
  4. If you are using a proxy to connect to the MySQL database,make sure that the proxy is configured to pass the correct hostname or IP address to the MySQL database.

If you have tried all of these things and you are still getting the error, you can try setting the rejectUnauthorized option to false in the Node.js connection string. This will allow you to connect to the database even if the hostname or IP address does not match the certificate. However, this is not a secure option and should only be used as a temporary workaround.

Here is an example of a Node.js connection string that uses the rejectUnauthorized option:

 

const mysql = require('mysql');

const connection = mysql.createConnection({
  host: 'my-database-instance.us-central1-a.mysql.gcp.com',
  port: 3306,
  database: 'my-database',
  user: 'my-username',
  password: 'my-password',
  ssl: {
    ca: '/path/to/ca.pem',
    cert: '/path/to/cert.pem',
    key: '/path/to/key.pem',
    rejectUnauthorized: false
  }
});

Security Implications of Setting rejectUnauthorized to false

Setting rejectUnauthorized to false effectively disables SSL/TLS verification, making the connection vulnerable to man-in-the-middle attacks. This option should be used with extreme caution and only as a temporary workaround.

Proxy Configuration

If you are using a proxy to connect to the MySQL database, it is important to make sure that the proxy is configured to pass the correct hostname or IP address to the MySQL database. If the proxy is altering the hostname or IP address, it could be a security concern, and you should ensure you trust the proxy you are using.

Additional Solutions

If you have control over the MySQL server, you can also try regenerating or obtaining a new certificate that includes the necessary hostname or IP address in its SANs.

0 Likes
Top Solution Authors
View all