Configuration of SSL connection to Database


we installed the Mattermost Enterprise Edition and currently face a problem with the configuration of a secure database connection.

We want to use the MySQL-Server within our intranet as database for Mattermost and the database connection has to be encrypted with SSL/TLS. Our current SqlSettings look like this:

"DriverName": "mysql",
"DataSource": "database_user:password@tcp(mysql.server:3306)/database_name?charset=utf8&timeout=90s&tls=true"

Do you have an advise how to configure the details for the database connection over SSL/TLS?

We tried the tls=custom url parameter in the DataSource string but couldn’t find a way to set the required TLSConfig object using the config files. With tls=true we get the following error:

Failed to ping db err:tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config

Using the tls=skip-verify option works to establish an connection, but doesn’t meet our security requirements.

We would be grateful for a good hint.

I have done things like this with SSH tunnels. That’s very reliable and as secure as TLS.

Thanks for your reply.
You´re right, but this solution isn´t wanted by our administration.
Is there a native way using the mattermost server config?

I’m not aware of a way to put SSL on a MySQL connection. But I may be wrong.

Well, we configured our MySQL server to only accept an SSL encrypted mysql connection for the database/user combination on which the mattermost server depends.

As i said, by using tls=skip-verify the connection is established, but mattermost doesn´t verify the certificate.

So we search for a way to tell mattermost which root certificate to use, so the mysql server certificate can be verified.

Answer from Mattermost Support:

how to setup MySQl DB for mattemost on windows.

This topic is a bit old, but especially because it’s old, was there any change to this? Is it possible to define a root CA file to connect to the database with a self-signed TLS certificate, or not yet?

From what I see in the ticket at [MM-5996] Investigate: Support database connection over SSL/TLS - Mattermost, it seems to be open and to not have had any activity for a few years. Is this feature going to be implemented (whitout using tls=skip-verify)?

Thanks in advance :slight_smile:

I would suggest using a reverse proxy such as through Apache, and proxying the database to a VirtualHost in which you are using SSL/TLS. At that point, you should be able to create a listener on the target server (that you want the database to send data to) and then, in essence, import the database information almost as if it was in a cluster environment.