Docker container emulating RDS MySQL/MariaDB with SSL


I was wondering if anyone has been able to create a docker instance running MySQL/MariaDB with SSL with self-signed certificates that emulate the behavior that RDS providers.

Meaning that you can verify the connection only using a bundle but with the own self-signed certificates

2 Answers

Before start please read the following

This article can help you

profile picture
answered a year ago

Thanks for your answer, I didn't come across this article and it is very detailed. I found others that are pretty similar but not as precise as this one. I also tried following the steps in this article, but I keep having the same issue. please allow me to be more specific.

This article works great for creating a docker image allowing you to use SSL connections for your MySQL/MariaDB docker instance. As you can see in the following code I can connect to the docker instance through SSL with CA verify

$ docker run -d  --rm --name test  -e MARIADB_ROOT_PASSWORD=12345 -p 3306:3306 c7cc3d08c5b7
$ mysql -uroot -p -h127.0.0.1 --ssl --ssl-ca=ca.pem
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 61
Server version: 10.6.11-MariaDB-1:10.6.11+maria~ubu2004 binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
mysql  Ver 15.1 Distrib 10.11.2-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          61
Current database:
Current user:           root@
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.6.11-MariaDB-1:10.6.11+maria~ubu2004 binary distribution
Protocol version:       10
Connection:    via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8mb3
Conn.  characterset:    utf8mb3
TCP port:               3306
Uptime:                 23 hours 8 min 1 sec

Threads: 1  Questions: 15  Slow queries: 0  Opens: 17  Open tables: 10  Queries per second avg: 0.000

Until here, everything looks perfect and as expected. But my real problem is when I try to execute the following PHP code:

ini_set('display_errors', '1');

$server = '';
$port = '3306';
$dbname = 'test';
$username = 'root';
$password = '12345';

$options = array(
    PDO::MYSQL_ATTR_SSL_CA => 'ca.pem',

try {
    $dsn = "mysql:host=$server;port=$port;charset=utf8;dbname=$dbname";
    $pdo_nossl = new PDO($dsn, $username, $password, $options);
    echo "Connection successful";
} catch (PDOException $e) {
    echo "Connection failed: " . $e->getMessage();

The same code but pointing to an RDS works perfectly, no need to add the SSL client Key, Cert. Only with MYSQL_ATTR_SSL_CA and the proper bundle, works. To be more precise, if you set MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false, the code works. But I just wanted to keep the same configuration I have with an RDS, which is verifying the SSL cert.

I have also tried creating the CA with the domain "local." and the server and client with "mariadb.local." and start the docker instance with this name, also set this on internal DNS just to have resolution, also modify the PHP code to point to its name instead of IP.

Not sure if what I'm asking is possible or I am missing something


answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions