Amazon AWS database connection error with valid settings

Question

I'm running both a wordpress site as well as a mediawiki off of the same web servers. The mediawiki site works great! The wordpress site, meh. Not so much. I keep getting the common database connection error:

Error establishing a database connection

And as far as I can tell the settings between the mediawiki site and the wordpress site are nearly identical.

Here's the media wiki config first since that one's working:

## Database settings
$wgLBFactoryConf['class'] = 'LBFactorySimple';
$wgDBtype = "mysql";
$wgDBservers = '';
$wgDBserver = "db.example.com";
$wgDBssl    =  true;
$wgDBname = "jfwiki";
$wgDBuser = "admin_ssl";
$wgDBpassword = "secret";

And here's what the wordpress database connection settings look like since they are not:

/** MySQL database username */
define('DB_NAME', 'jokefire');

define('DB_USER', 'admin_ssl');

/** MySQL database password */
define('DB_PASSWORD', 'secret');

/** MySQL hostname */
define('DB_HOST', 'db.example.com');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/** Contact the database over a secure connection */
define('DB_SSL', true);

I realize that they're not exactly the same. But I think you can make an easy correlation between the mediawiki settings and the settings for wordpress. And they look similar enough to think that wordpress should be working. Right?

The only real other difference is the name of the database each site is using, which I guess makes sense.

But the fact that medawiki works fine tells me that the user and password set for both sites has access to the database.

Just for laughs I use the account settings from the wordpress config to demonstrate that I can connect to the DB on the command line. Again, it's the same account info that I have in the wik site:

#mysql -uadmin_ssl -p -h db.example.com -D jokefire  -e "show tables" | head -5
Enter password:
Tables_in_jokefire
wp_bp_activity
wp_bp_activity_meta
wp_bp_chat_channel_users
wp_bp_chat_channels

Also, I created a basic php script to see if it could connect to the database

<?php
$link = mysql_connect('db.example.com', 'admin_ssl', 'secret');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>

And to my surprise it can't connect!

php testconnect.php
Could not connect: Access denied for user 'admin_ssl'@'ec2-54-86-143-49.compute-1.amazonaws.com' (using password: YES)

Why am I surprised that it can't? Because again 1) the wiki can connect to the database no problem. And 2) I can connect to the db on the command line using the same credentials.

My API MySQL Client version is:

Client API version  mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $

Hope this helps narrow down the problem. Thanks!

Drew · Accepted Answer · 2015-08-15T23:59:31.443

1

The host name could easily be the issue.

Try select user,host from mysql.user where user='admin_ssl' order by host;

As is often the case on AWS servers, what works on localhost or 127.0.0.1 as a host is quite different than a host coming in from elsewhere.

From your PHP sample, the mysql server cannot authenticate the user and host. My bet it is the ec2-54-86-143-49.compute-1.amazonaws.com part of it.

A quick test would be to go on a mysql prompt on the server in question, and perform a create user and grant for such a user. Other people would recommend creating a 'admin_ssl'@'%' user so it works regardless of hostname coming in. I would be careful with that approach.

In order to lock down security, I am willing to create a user on AWS such as create user 'dbAdmin'@'mc83.newyork.comcastbusiness.com' IDENTIFIED BY ... to ensure I don't user wildcards like '%'.

Don't forget the grants. But that is getting ahead of the issue at hand, which is a connect.

good luck.

edited Aug 15 '15 at 23:59

answered Aug 15 '15 at 23:53

Drew

24,851
10
43
78

I already have the admin_ssl user with a grant that allows him to access the database from ec2-54-86-143-49.compute-1.amazonaws.com. But the grant is by IP not the EC2 host name. That's why I can access the DB from the web server on the command line. That's why the wiki works.I tried adding the EC2 hostname to the /etc/hosts files of all the hosts involved. Web server, two LB's, and the two DB's. And even after granting all to ec2-54-86-143-49.compute-1.amazonaws.com the php test script failes. Even granting all to 'admin_ssl'@'%' as a test fails with the same error using the php test script. – bluethundr Aug 16 '15 at 01:34
do you even have a user in mysql.user that is admin_ssl@% ? – Drew Aug 16 '15 at 01:38
as your mysql server (as I read it) is not on aws but your client is on aws (?), then AWS security groups is probably not the issue – Drew Aug 16 '15 at 01:43
it is important to document in the question where these servers are living, as at best we can do is make assumptions, are they all the same box, what is behind what firewall, etc. It needs detail – Drew Aug 16 '15 at 01:44
Sorry about leaving out some important details. Here goes. The two different sites (wiki and wordpresss) are both on the same web servers. There are 3 web servers sharing a document root that sits on an NFS share. The sites are load balanced behind varnish 4. And the two varnish nodes are load balanced by two HA/Proxy hosts. The site names points to a VIP that is load balanced on HA/Proxy. – bluethundr Aug 16 '15 at 01:55
Web servers, NFS server and Varnish is on Digital Ocean. The two HA/Proxy Load Balancers are on AWS. There are two MySQL databases configured in a master/master setup on AWS. The database address is also a VIP that is load balanced on the same two HA/Proxy nodes. The two database servers are using MariaDB version 10.0.20-1. Hope that adds some useful info! – bluethundr Aug 16 '15 at 02:07
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/87076/discussion-between-bluethundr-and-drew). – bluethundr Aug 16 '15 at 02:12
I would need to command line in to be of any further assistance as this medium of debugging fails too often versus hands-on – Drew Aug 16 '15 at 02:17
Sure, I'm willing to provide that if you're up for it! – bluethundr Aug 16 '15 at 02:40
Ok in 7 hours or so. Need sleep – Drew Aug 16 '15 at 02:48
Gotha thanks... I actually made some progress on this. The problem was SSL. Once I I took the SSL requirement out of the picture for the user everything worked. The test php script and the wordpress site both. Originally when I setup my wiki it NEEDED SSL. Because there was some sensitive data in it. My website, however, is just a goofball toy project of mine. And doesn't really need that. But since I have this done for my wiki I was like why not? I stumbled getting the mediawiki to connect via SSL. Once I found the setting $wgDBssl = true; for media wiki it just worked. – bluethundr Aug 16 '15 at 03:10
For my wordpress site, I found the setting define('DB_SSL', true);. I set that up in wp-config.php. However for some reason that wasn't the silver bullet that the mediawiki SSL database setting was ( $wgDBssl = true; ). I can understand why my little test script couldn't work with an SSL user. But do you have any idea why that wordpress setting won't allow the site to connect to the DB? While it may not be of super high importance to have my site contact the DB via SSL, it would still be a nice thing to have. – bluethundr Aug 16 '15 at 03:17
too many moving parts here without seeing it to say. but I would die to know the following (so as to help bring one thing full circle) ... you introduced a PHP test into it that you mentioned at the bottom of your question and said that simple PHP connect failed. Was that with SSL or not? Did altering users/privileges in create user and grants have a positive impact on that PHP test. It is important to step by step it, else we are lost and our eyes glaze over :> – Drew Aug 16 '15 at 12:26
Hi Drew, Ok so I'll try to take this a little slower. The php script to test the DB connection was using a mysql user that was required to use SSL. When I created a user on the DB end that did not need to use SSL to connect to the database, the php test script could connect to the DB. So then I took the non-ssl database user and put that into the wordpress config. That got rid of the database error in wordpress and the site started working. But now I'm wondering why I couldn't connect to the database in wordpress with an ssl user after I put this setting in my config: define('DB_SSL', true);. – bluethundr Aug 16 '15 at 16:33
The wordpress setting define('DB_SSL', true); seems very similar to the mediawiki setting: $wgDBssl = true;. I was having a similar problem with media wiki not being able to use the database with a user that had the SSL requirement. Once I put that setting into mediawiki, the site started working with the SSL user. So what I'm wondering now is if I have to do anything else to get wordpress to work with an SSL database user other than put define('DB_SSL', true); into wp-settings.php ? Thanks – bluethundr Aug 16 '15 at 16:38
might [this](https://wordpress.org/support/topic/wordpress-with-mysql-over-ssl) be of use ? – Drew Aug 16 '15 at 16:40
Hmm I didn't have any luck with that link you showed me for some reason. But this one did the trick! https://blog.slowb.ro/enable-ssl-database-connections-for-your-wordpress-installation/ My site is now connecting to the database via SSL! :) Thanks for all your help. – bluethundr Aug 16 '15 at 20:06

Amazon AWS database connection error with valid settings

1 Answers1