Denis Machard

My technical gists

Infrastructure background, developer mindset. I build things for pleasure.
    @github @mastodon @rss

    How to enable TLS encryption with gmysql PowerDNS backend

    In this post, we will see how to enable TLS encryption with authentication between PowerDNS authoritative server and remote MySQL database.

    Enable TLS encryption - One-way mode

    One-way TLS means that the client verifies that the certificate belongs to the server.

    First all, enable encryption on your MariaDB instance with TLSv1.3 only

    [mariadbd]
    ssl-ca = /etc/mysql/conf.d/ca.crt
    ssl-cert = /etc/mysql/conf.d/server.crt
    ssl-key = /etc/mysql/conf.d/server.key
    tls_version = TLSv1.3
    

    And grant the powerdns user with require ssl

    ALTER USER 'pdns_user'@'%' REQUIRE SSL;
    

    Now update the pdns.conf config by added the gmysql-group key

    launch=gmysql
    gmysql-host=172.16.0.10
    gmysql-dbname=pdns
    gmysql-user=pdns_user
    gmysql-password=pdns_secret
    gmysql-group=pdns
    

    Finnaly add the /etc/my.cnf file and provides the certificate and private key of the client.

    [pdns]
    ssl-cert = /etc/powerdns/client.crt
    ssl-key = /etc/powerdns/client.key
    ssl_ca = /etc/powerdns/ca.crt
    ssl-verify-server-cert
    # force TLS version for client too
    #tls_version = TLSv1.2,TLSv1.3
    

    Restart your pdns instance and check if the connection is successful and properly enforced with TLS.

    $ sudo docker exec docker-stack-dns-ns-1 pdnsutil backend-cmd gmysql 'show session status like "ssl_cipher"'
    == show session status like "ssl_cipher"
    'Ssl_cipher'	'TLS_AES_256_GCM_SHA384'
    

    Enable Two-Way TLS

    Two-way TLS means that both the client can be authenticated by the server. to do that the client must provide a X509 certificate to the server.

    Grant the powerdns user with require subject

    ALTER USER 'pdns_user'@'%' REQUIRE SUBJECT '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=client.hello.world';
    

    Restart your pdns, authentication should be OK.

    If you have the access denied error like below take a look to your db logs

    docker-stack-dns-ns-1  | Sep 28 19:10:34 gmysql Connection failed: Unable to connect to database: ERROR 1045 (28000): Access denied for user 'pdns_user'@'172.16.0.30' (using password: YES)
    

    The subject mismatch should appears

    docker-stack-dns-db-1  | 2023-09-28 19:10:34 6 [Note] X509 subject mismatch: should be '/CN=client.hello.world' but is '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=client.hello.world'
    docker-stack-dns-db-1  | 2023-09-28 19:10:34 6 [Warning] Access denied for user 'pdns_user'@'172.16.0.30' (using password: YES)
    

    Some additionals links

    propulsed by hugo and hugo-theme-gists