Configure PMM2 For Azure MySQL Database With SSL

Managed database systems come with their own quirks. I recently encountered one for Azure MySQL. Although the solution was simple, it took significant time. I'm sharing so that you can save some time. 

Azure MySQL with SSL.

Registering AzureDB without SSL in PMM

If you are registering a normal MySQL database you will run the below command & it will be registered.

server=db-server.mysql.database.azure.com
monitoruser=monitor_mysql@db-server
monitorpwd=xxxxxxxx
server_name=MyProdDB1pmm-admin add mysql --username=$monitoruser --password=$monitorpwd --host=$server --service-name=$server_name --query-source=perfschema

DB connectivity with SSL

As per the link provided below you can download the generic certificate to connect to the Azure database. Using that you can connect to MySQL even with verify_ca mode too.

Successful connection with SSL
mysql --user=$monitoruser --password=$monitorpwd --host=$serverUnsuccessful connection with verify ca SSLmysql --user=$monitoruser --password=$monitorpwd --host=$server --ssl-mode=VERIFY_CA
ERROR 2026 (HY000): SSL connection error: CA certificate is required if ssl-mode is VERIFY_CA or VERIFY_IDENTITYSuccessful connection with verify ca SSL
mysql --user=$monitoruser --password=$monitorpwd --host=$server --ssl-mode=VERIFY_CA --ssl-ca=azure-ca.crt

Error Registering SSL DB

For SSL you need to supply the parameter -tls, however, that also throws an error.

Error trying to connect without SSL
pmm-admin add mysql --username=$monitoruser --password=$monitorpwd --host=$server --service-name=$server_name --query-source=perfschemaConnection check failed: Error 9002: SSL connection is required. Please specify SSL options and retry..Error trying to connect with SSL
pmm-admin add mysql --username=$monitoruser --password=$monitorpwd --host=$server --service-name=$server_name --query-source=perfschema -tlsTLS is on. You must also define tls-ca, tls-cert and tls-key flags.Error trying to connect with SSL & azure provided certificate
pmm-admin add mysql --username=$monitoruser --password=$monitorpwd --host=$server --service-name=$server_name --query-source=perfschema -tls --tls-ca=azure-ca.crtTLS is on. You must also define tls-ca, tls-cert and tls-key flags.

Generate new SSL

Based on the bug raised, I found that we need SSL client key & client certificate generated separately. I used the below command to generate new files. I have highlighted the one I used later.

mysql_ssl_rsa_setup --datadir ssl/
ls ssl/
-rw------- 1 nirav nirav 1679 Jun 17 14:52 ca-key.pem
-rw-r--r-- 1 nirav nirav 1107 Jun 17 14:52 ca.pem
-rw-r--r-- 1 nirav nirav 1107 Jun 17 14:52 client-cert.pem
-rw------- 1 nirav nirav 1679 Jun 17 14:52 client-key.pem
-rw------- 1 nirav nirav 1675 Jun 17 14:52 private_key.pem
-rw-r--r-- 1 nirav nirav  451 Jun 17 14:52 public_key.pem
-rw-r--r-- 1 nirav nirav 1107 Jun 17 14:52 server-cert.pem
-rw------- 1 nirav nirav 1679 Jun 17 14:52 server-key.pem

Register Azure DB with SSL

Now the same command as above with client key files is working successfully.

Successful register with SSL & azure provided certificate
pmm-admin add mysql --username=$monitoruser --password=$monitorpwd --host=$server --service-name=$server_name --query-source=perfschema -tls --tls-ca=azure-ca.crt --tls-cert=client-cert.pem --tls-key=client-key.pem

Reference

• How to Configure MySQL SSL With Public Certificates - Percona Database Performance Blog
• Getting MySQL working with self-signed SSL certificates is pretty simple. Having it working with a certificate signed
• PMM2 does not add Azure database with ssl
• root@PMM-Prod-VM azure]# mysql --user=monitor@db-dddxxxx --password=xxxxx --host=db-dddxxxx.mysql.database.azure.com
• jira.percona.com
• Configure SSL - Azure Database for MySQL
• Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure