🔐 MySQL-based SSL/TLS Encrypted Connection (MySQL/MariaDB/Percona)
This feature allows you to enable SSL/TLS encrypted connections between your application and MySQL, MariaDB, or Percona databases. When this feature is enabled, all data is transmitted securely, protected against interception.
✅ Recommended for applications with sensitive information, systems on public networks, or those requiring compliance with security standards such as LGPD, PCI, or HIPAA.
⚙️ How to enable the Add-on on SaveinCloud
- Access your environment panel and click on the Add-ons option in your MySQL database instance.
- Locate the add-on MySQL-based SSL/TLS Encrypted Connection and click Install.
On the add-on installation screen, you must fill in:
- Environment: Desired environment
- Node Group(s): Node group where the add-on will be installed
Within a minute, your database will be reconfigured to operate through an encrypted connection.
📁 Location of certificates
Certificates are automatically generated using the /usr/local/sbin/selfcertgen utility. They are self-signed and issued based on each node's hostname.
📂 Certificates directory:
/var/lib/jelastic/keys/SSL-TLS
This directory contains two subfolders:
- client – contains client certificates for download and use in authentication
- server – contains certificates used by the database to enable TLS encryption
🛠️ Additional configurations
Additional configurations are automatically applied in the file:
/etc/mysql/conf.d/ssl-config.cnf
Default content:
[mysqld]
ssl_ca=/var/lib/jelastic/keys/SSL-TLS/server/root.crt
ssl_cert=/var/lib/jelastic/keys/SSL-TLS/server/server.crt
ssl_key=/var/lib/jelastic/keys/SSL-TLS/server/server.key
#ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA
#require_secure_transport=ON
💡 The option
require_secure_transport=ON(commented out by default) forces exclusive use of SSL connections.
🔄 Add-on management
After installation, you can:
-
📥 Reissue certificates by clicking Re-issue certificates
Useful in cases such as accidental loss of
.crt/.keyfiles, or if you suspect the certificates have been compromised. -
❌ Uninstall the add-on using the menu in the upper right corner
This also removes the generated SSL certificates and applied configurations.
🧪 Testing connection via SSL (encryption in transit)
“Encryption in transit” (server-side encryption) works from the moment the add-on is installed. You can verify by connecting using the database credentials sent by email.
For remote connection, you can add the Endpoints or Public IP.
Use the following command to test the connection with encryption (server-side):
mysql --ssl-mode=required -h {host} -P {port} -u {user} -p
Where:
{host}– database entry point (endpoint or public IP).{port}– port used for connection (usually3306).{user}– database username used for authentication.
Check in the status command output if there is an SSL line:
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
🧠 For external connections, use the public IP or Endpoint of your database.
🔒 Making certificate use mandatory
While connected to the server, you can configure the use of client certificates for authentication — server-side and client-side encryption. Run the command below to make SSL authentication mandatory for the specified user.
ALTER USER 'usuario'@'%' REQUIRE X509;
ALTER USER 'usuario'@'localhost' REQUIRE X509;
Note: The Common Name (CN) is not verified by default. Any certificate signed by the CA will be accepted.
If you want to ensure that only certificates issued for a specific user are accepted, use:
ALTER USER 'usuario'@'%' REQUIRE SUBJECT 'CN=usuario';
ALTER USER 'usuario'@'localhost' REQUIRE SUBJECT 'CN=usuario';
💡 If you want to use only certificates for login, you can remove the password requirement using the ALTER USER command.
📦 Connecting with SSL certificates
Now provide the client server (computer/container/VM) with the appropriate SSL certificate files, which can be downloaded from the /var/lib/jelastic/SSL-TLS/client directory of the desired target node. Once done, you can connect using the following command:
mysql –h {host} -P {port} -u {user} -p --ssl-mode=VERIFY_CA --ssl-ca={path/to/root.crt} --ssl-cert={path/to/client.crt} –ssl-key={path/to/client.key}
🔒 It is recommended to use
VERIFY_CAto validate the server's certificate authority.
To avoid having to pass certificate paths on every connection, add them to your ~/.my.cnf file:
[client]
ssl-ca = /var/lib/jelastic/keys/root.crt
ssl-cert = /var/lib/jelastic/keys/client.crt
ssl-key = /var/lib/jelastic/keys/client.key
💡 This way, when running mysql, the certificates will be applied automatically.
📚 Documentation and Resources
- Official MySQL Documentation
- SSL Connections with MySQL
- Virtuozzo Documentation on SSL Add-on
- OpenSSL (for certificate generation)
🧠 Support
If you have questions, encounter difficulties in configuration, or need help with specific situations, contact SaveinCloud technical support through the channels available in the platform panel.