Markus
2020-Jun-08 10:15 UTC
[asterisk-users] cdr_mysql: Cannot connect to database server - SSL error: SSL_CTX_set_default_verify_paths failed
Hi list! I'm getting this error frequently: ERROR[25193][C-0004f387]: cdr_mysql.c:203 mysql_log: Cannot connect to database server localhost: (2026) SSL connection error: SSL_CTX_set_default_verify_paths failed Right now, as a workaround, I reload Asterisk via cron once an hour, and after the reload everything is fine again _for a while_. Still, over the course of a month I lose about 12% of my CDRs this way. I guess I could reload more often but would prefer a real fix, not a workaround. Anyone got an idea? Asterisk 11.25.0 built by mockbuild @ olive.ph.tucny.com on a x86_64 running Linux on 2016-11-23 22:17:54 UTC Database is a Galera cluster: galera-3-25.3.19-2.el7.x86_64 Asterisk is writing to the local MySQL instance and there's SSL between the Galera cluster nodes. Thanks! Markus
Antony Stone
2020-Jun-08 10:25 UTC
[asterisk-users] cdr_mysql: Cannot connect to database server - SSL error: SSL_CTX_set_default_verify_paths failed
On Monday 08 June 2020 at 12:15:56, Markus wrote:> Hi list! > > I'm getting this error frequently: > > ERROR[25193][C-0004f387]: cdr_mysql.c:203 mysql_log: Cannot connect to > database server localhost: (2026) SSL connection error: > SSL_CTX_set_default_verify_paths failedHmmm... talking to localhost over SSL... seems a bit computationally wasteful.> Right now, as a workaround, I reload Asterisk via cron once an hour, and > after the reload everything is fine again _for a while_. Still, over the > course of a month I lose about 12% of my CDRs this way. I guess I could > reload more often but would prefer a real fix, not a workaround. Anyone > got an idea?> Database is a Galera cluster: galera-3-25.3.19-2.el7.x86_64Use the ODBC connector and talk to MariaDB over a Unix socket instead of TCP: https://wiki.asterisk.org/wiki/display/AST/Getting+Asterisk+Connected+to+MySQL+via+ODBC Antony. -- "There is no reason for any individual to have a computer in their home." - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed by Compaq, later merged with HP) Please reply to the list; please *don't* CC me.
John Runyon
2020-Jun-08 10:57 UTC
[asterisk-users] cdr_mysql: Cannot connect to database server - SSL error: SSL_CTX_set_default_verify_paths failed
On Mon, 8 Jun 2020 at 05:18, Markus <universe at truemetal.org> wrote:> Hi list! > > I'm getting this error frequently: > > ERROR[25193][C-0004f387]: cdr_mysql.c:203 mysql_log: Cannot connect to > database server localhost: (2026) SSL connection error: > SSL_CTX_set_default_verify_paths failed >"SSL_CTX_set_default_verify_paths() specifies that the default locations from which CA certificates are loaded should be used." ( https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_default_verify_paths.html ) "The SSL_CTX_set_default_verify_paths failed error occurs if paths to any of the certificate files are invalid (either missing or have incorrect permissions)." ( https://stackoverflow.com/questions/27031318/what-does-this-error-mean-in-mariadb-ssl-error-2026-hy000-ssl-connection-e/45083610 ) Sounds to me like your CApath / CAfile being used by MySQL doesn't exist, and so it's unable to verify the certificate. You can try some of the answers in that stack overflow thread... or just don't use SSL to connect to a local MySQL instance. Unless you've done some weird configuration, only the same user as one of the processes, or root, has the ability to eavesdrop; and both could eavesdrop by attaching to the process (i.e. with a debugger) even with SSL enabled. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200608/d00abe82/attachment.html>
Markus
2020-Jun-29 10:43 UTC
[asterisk-users] cdr_mysql: Cannot connect to database server - SSL error: SSL_CTX_set_default_verify_paths failed
Hi, Am 08.06.2020 um 12:25 schrieb Antony Stone:> On Monday 08 June 2020 at 12:15:56, Markus wrote: > >> Hi list! >> >> I'm getting this error frequently: >> >> ERROR[25193][C-0004f387]: cdr_mysql.c:203 mysql_log: Cannot connect to >> database server localhost: (2026) SSL connection error: >> SSL_CTX_set_default_verify_paths failed > > Hmmm... talking to localhost over SSL... seems a bit computationally wasteful.I switched to connecting via sock. My cdr_mysql.conf looks like this: [global] ;hostname=localhost dbname=asterisk table=cdr password=somepassword user=someuser ;port=3306 sock=/var/lib/mysql/mysql.sock However, I'm still frequently getting: "[Jun 29 12:40:08] ERROR[12977][C-000007cc]: cdr_mysql.c:203 mysql_log: Cannot connect to database server localhost: (2026) SSL connection error: SSL_CTX_set_default_verify_paths failed" Which makes no sense because I'm no longer connecting via localhost. The error message still mentions localhost, though. Maybe the error message is not accurate enough?! Strange? As explained previously, the error comes and go. Right now I'm losing about 10% of my CDRs. But that means it's not a general problem with the SSL stuff. Thanks! Markus