docker-pdns icon indicating copy to clipboard operation
docker-pdns copied to clipboard

Published 20 hours ago verified publisher icon pschiffe

Access to mysql with SSL

Open kenjreno opened this issue 3 years ago • 5 comments

Would like to see a way to enable SSL for mysql. There is an option in PowerDNS to allow this gmysql-ssl=yes

When adding PDNS_gmysql_ssl=yes as a environment filter, the docker-entry script will not proceed as it's attempting to access mysql without a '--ssl' option then sitting in a loop waiting for a connection.

kenjreno avatar Jun 01 '22 19:06 kenjreno

Could you verify the /etc/pdns/pdns.conf file inside of the container to check whether the config is as intended?

pschiffe avatar Jun 02 '22 12:06 pschiffe

I'm getting the error message in the logs:

ERROR 1045 (28000): Access denied for user 'pdns'@'*******************' (using password: YES)

MySQL is unavailable - sleeping

Contents of the pdns.conf are the generic version as the docker-compose.sh script can not get past the database checking to produce the file.

(This is just the sniplet of the first few lines)

 [root@pdns /]# cat /etc/pdns/pdns.conf 
# Autogenerated configuration file template

#################################
# ignore-unknown-settings       Configuration settings to ignore if they are unknown
#
# ignore-unknown-settings=

MY docker-compose is using the following environments.

    environment:
      - PDNS_gmysql_host=db_server
      - PDNS_gmysql_port=3306
      - PDNS_gmysql_user=pdns_user
      - PDNS_gmysql_dbname=pdns_database
      - PDNS_gmysql_password=CHANGEME
      - PDNS_gmysql_dnssec=yes
      - PDNS_gmysql_ssl=yes
      - PDNS_allow_axfr_ips=127.0.0.0/32
      - PDNS_master=yes
      - PDNS_dnsupdate=yes
      - PDNS_guardian=yes
      - PDNS_secondary=no      
      - PDNS_api=yes
      - PDNS_api_key=CHANGEME
      - PDNS_default_soa_edit=INCEPTION-INCREMENT
      - PDNS_default_soa_edit_signed=INCEPTION-INCREMENT
      - PDNS_webserver=yes 
      - PDNS_webserver_allow_from=127.0.0.1,10.0.0.0/8,172.0.0.0/8,192.0.0.0/24
      - PDNS_webserver_address=0.0.0.0 
      - PDNS_webserver_password=CHANGEME 
      - PDNS_version_string=SuperDuperDNSServer
      - PDNS_allow_notify_from=0.0.0.0

I have PowerDNS running correctly in a TrueNAS jail, but looking to replicate it and migrate this away to a docker container using the same configuration that I currently have setup.

kenjreno avatar Jun 02 '22 13:06 kenjreno

Ah, I understand now. The mysql check command doesn't work b/c it doesn't support SSL. Do you think you could update the command in a similar fashion as here: https://github.com/pschiffe/docker-pdns/blob/master/pdns/docker-entrypoint.sh#L27 - add an if check and update the EXTRA var if SSL is required? I don't have such setup, so cannot test it.

pschiffe avatar Jun 02 '22 15:06 pschiffe

I added this as a check and it now gets past the sql error and created the correct pdns.conf template file.

# SSL Check
if [ "${PDNS_gmysql_ssl}" != "" ]; then
    EXTRA="${EXTRA} --ssl"
fi

# Password Auth
if [ "${PDNS_gmysql_password}" != "" ]; then
    EXTRA="${EXTRA} -p${PDNS_gmysql_password}"
fi

# Allow socket connections
if [ "${PDNS_gmysql_socket:-}" != "" ]; then
    export PDNS_gmysql_host="localhost"
    EXTRA="${EXTRA} --socket=${PDNS_gmysql_socket}"
fi

I don't have an environment built yet to build this to test this fullly end to end.

kenjreno avatar Jun 02 '22 18:06 kenjreno

If you are able to test this properly, I would love to accept your PR :)

pschiffe avatar Jun 02 '22 18:06 pschiffe

I'm closing this as it's tricky. You also need to configure cert and key on the client, so the communication is really secure, and I think this is out of scope for this project.

pschiffe avatar Jan 13 '23 22:01 pschiffe