There are many examples on how to connect to a mariadb/mysql database using go/golang when only username and password is needed. But I have not found an easy example where the client needs certificates (TLS/SSL) to connect.
This works for a vanilla connection
package main
import (
"database/sql"
"fmt"
"log"
_ "github.com/go-sql-driver/mysql"
)
// Test that db is usable
// prints current date & time to stdout
func queryDB(db *sql.DB) {
// Query the database
var result string
err := db.QueryRow("SELECT NOW()").Scan(&result)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
}
func main() {
// generate connection string
cs := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s", "username", "password", "dbHost", "dbPort", "database")
db, err := sql.Open("mysql", cs)
if err != nil {
log.Printf("Error %s when opening DB\n", err)
log.Printf("%s", cs)
return
}
defer db.Close()
e := db.Ping()
fmt.Println(cs, e)
queryDB(db)
}
But if the client needs certs to connect, where do I put that information?
in my my.cnf it would be theese lines:
[mysql]
## MySQL Client Configuration ##
ssl-ca=cert/ca-cert.pem
ssl-cert=cert/client-cert.pem
ssl-key=cert/client-key.pem
To be able to use certs for authentication you have to create a tls.Config and then do a mysql.RegisterTLSConfig("custom", &tlsConf) and add "?tsl=custom" to the connection string.
Where tls comes from "crypto/tls" and mysql is from "github.com/go-sql-driver/mysql"
A working example:
package main
import (
"crypto/tls"
"crypto/x509"
"database/sql"
"fmt"
"io/ioutil"
"log"
"github.com/go-sql-driver/mysql"
_ "github.com/go-sql-driver/mysql"
)
// path to cert-files hard coded
// Most of this is copy pasted from the internet
// and used without much reflection
func createTLSConf() tls.Config {
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("cert/ca-cert.pem")
if err != nil {
log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
log.Fatal("Failed to append PEM.")
}
clientCert := make([]tls.Certificate, 0, 1)
certs, err := tls.LoadX509KeyPair("cert/client-cert.pem", "cert/client-key.pem")
if err != nil {
log.Fatal(err)
}
clientCert = append(clientCert, certs)
return tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
InsecureSkipVerify: true, // needed for self signed certs
}
}
// Test that db is usable
// prints version to stdout
func queryDB(db *sql.DB) {
// Query the database
var result string
err := db.QueryRow("SELECT NOW()").Scan(&result)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
}
func main() {
// When I realized that the tls/ssl/cert thing was handled separately
// it became easier, the following two lines are the important bit
tlsConf := createTLSConf()
err := mysql.RegisterTLSConfig("custom", &tlsConf)
if err != nil {
log.Printf("Error %s when RegisterTLSConfig\n", err)
return
}
// connection string (dataSourceName) is slightly different
dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?tls=custom", "username", "password", "dbHost", "dbPort", "database")
db1, err := sql.Open("mysql", dsn)
if err != nil {
log.Printf("Error %s when opening DB\n", err)
log.Printf("%s", dsn)
return
}
defer db1.Close()
e := db1.Ping()
fmt.Println(dsn, e)
queryDB(db1)
}