Search code examples
mysqlmariadbmysql-cli

Cannot connect to Mariadb database remotely with mariadb-client (mysql-client works)


I have a remote server running MariaDB 10.6 database. I have all credentials.

I have tried regular connection command line on my PC and it works perfectly: mysql -P3307 -hmyurl.com -u myuser -pmypass mydatabase. However when I try it in Docker in Ubuntu I'm getting

Access denied for user 'myuser '@'10.62.193.7' (using password: YES)

After quite some debugging, I figured out that the error appears only if I use apt install mariadb-client (either on Ubuntu 20.04 or 22.04). If I install apt install mysql-client it works perfectly.

Is there anything I can do to make mariadb-client working? I also use it somehow from Python (mysqlclient) and it seems to rely on mariadb-client as well, so I cannot basically connect from Python in this case...

P.S. I do not have admin control over the database server, so I cannot modify settings of the database.


Solution

  • Finally after many hours of digging, I figured out the solution, thanks to the colleague of mine.

    TLDR: The root cause of this was the configuration of the server which enforces TLSv1.2 and mariadb-client which does not like it by default.

    More details:

    The mariadb-client only enables TLS by default (--ssl flag) with versions greater than 10.10. Prior to that, it would not enable TLS unless you specify that flag.

    The guess is that your installed version of the mariadb-client is not setting SSL/TLS mode. Failure to connect with encryption WILL result in the "Access Denied for user" error message, since unencrypted connections are disallowed.

    I would highly recommend that you explicitly set these parameters:

    mysql-client: --ssl-mode=VERIFY_CA --ssl-ca=/path/to/ca/chain/file

    mariadb-client: --ssl --ssl-verify-server-cert --ssl-ca=/path/to/ca/chain/file

    So when I added single --ssl parameter to the call when using mariadb-client, to my surprise, it actually worked!