docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago • verified publisher icon prisma

sslaccept=accept_invalid_certs seems to not be the default

Open P4sca1 opened this issue 2 years ago • 1 comments

Bug description

I am trying to connect to a MySQL database, with a user that has the REQUIRE SSL option set.

The following error appears:

[1657368933547] FATAL: Startup failed
    err: {
      "type": "PrismaClientInitializationError",
      "message": "Authentication failed against database server at `[omitted]`, the provided database credentials for `[omitted]` are not valid.\n\nPlease make sure to provide valid database credentials for the database server at `[omitted]`.",
      "stack":
          Error: Authentication failed against database server at `[omitted]`, the provided database credentials for `[omitted]` are not valid.
          
          Please make sure to provide valid database credentials for the database server at `[omitted]`.
              at [omitted]/node_modules/@prisma/client/runtime/index.js:45403:20
      "clientVersion": "4.0.0",
      "errorCode": "P1000"
    }

The MySQL server uses a self-signed certificate.

How to reproduce

You need a MySQL server which allows SSL connections and uses a self-signed certificate. This is the default behaviour in MySQL.

  1. Enable the REQUIRE SSL option for your MySQL user: ALTER USER 'myuser'@'myhost' REQUIRE SSL
  2. Start your prisma application

Expected behavior

The connection should be successfully established using default options. According to the docs, sslaccept=accept_invalid_certs is the default. However, this does not seem to be the case, because the connection does not work. When I manually add ?sslaccept=accept_invalid_certs to the database URL, the connection gets established successfully.

Prisma information

Not working database url: mysql://myuser:mypassword@dbhost:3306/database Working database url: mysql://myuser:mypassword@dbhost:3306/database?sslaccept=accept_invalid_certs

Environment & setup

  • OS: MacOS 12.3
  • Database: MySQL 8.0.29
  • Node.js version: 16.13.0

Prisma Version

prisma                  : 4.0.0
@prisma/client          : 4.0.0
Current platform        : darwin
Query Engine (Node-API) : libquery-engine da41d2bb3406da22087b849f0e911199ba4fbf11 (at node_modules/prisma/node_modules/@prisma/engines/libquery_engine-darwin.dylib.node)
Migration Engine        : migration-engine-cli da41d2bb3406da22087b849f0e911199ba4fbf11 (at node_modules/prisma/node_modules/@prisma/engines/migration-engine-darwin)
Introspection Engine    : introspection-core da41d2bb3406da22087b849f0e911199ba4fbf11 (at node_modules/prisma/node_modules/@prisma/engines/introspection-engine-darwin)
Format Binary           : prisma-fmt da41d2bb3406da22087b849f0e911199ba4fbf11 (at node_modules/prisma/node_modules/@prisma/engines/prisma-fmt-darwin)
Default Engines Hash    : da41d2bb3406da22087b849f0e911199ba4fbf11
Studio                  : 0.465.0

P4sca1 avatar Jul 09 '22 12:07 P4sca1

This also results in MySQL connections from prisma to be unencrypted by default, because the certificate is not trusted and it then falls back to unencrypted connections.

P4sca1 avatar Jul 09 '22 12:07 P4sca1