Spring Cloud Services broker can't connect to backend MySQL database due to TLS handshake failure
Article ID: 292923
Updated On:
Products
VMware Spring Runtime
Issue/Introduction
Symptoms:
Spring Cloud Services broker or worker can't connect to the backend database instance (MySQL for PCF) when Transport Layer Security (TLS) is enabled (optional or required) due to an "
Spring Cloud Services broker or worker can't connect to the backend database instance (MySQL for PCF) when Transport Layer Security (TLS) is enabled (optional or required) due to an "
unknown_ca" error as shown below:
[APP/PROC/WEB/0] [OUT] Caused by: org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is java.sql.SQLNonTransientConnectionException: Could not connect to q-n3s3y1.q-g2348.bosh:3306 : Received fatal alert: unknown_ca`Note: Adding MySQL TLS certificate to Operations (Ops) Manager Director security can not resolve this issue.
Environment
Cause
There is a known issue with the MariaDB Java client not trusting the certificates loaded into the security provider: https://jira.mariadb.org/browse/CONJ-670
Resolution
Resolution 1
Upgrade SCS to version 2.0.6 where the updated MariaDB Client with the TLS fix, version 2.4.0 is used.
Resolution 2
Upgrade to MySQL v2.5.3 or v2.4.4 or higher. Please refer the Preparing for TLS section to setup a CA certificate for the TLS handshake.
Resolution 3
Do not enable TLS with MySQL for PCF v2.4.0-2.4.3 and v2.5.0-2.5.2.
Resolution 4
Do not upgrade the SCS database instance when upgrading MySQL to v2.4.0-2.4.3 or v2.5.0-2.5.2.
Note: Pivotal Support recommends resolution #1. If you are unable to use any of these options, please contact Pivotal Support.
Feedback
Yes
No
Powered by
