1

I have been using Heroku for a while to host my Discord bot. It has been connecting to a MySQL database hosted on ClearDB successfully. However, very recently, whenever I use the bot and it tries to connect to the database, it throws this error:

2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

It has been working completely fine until now, and I haven't changed anything. For background, all I did was delete a pipeline and make my app a standalone app without any pipeline. Just in case this helps.

Is this because Heroku has been updated? How can I fix my bot? Let me know if you need any more information.

Any help is appreciated, and Thank You in advance!

EDIT: Database connection code:

import mysql.connector

def create_conn():
    conn = None
    try:
        conn = mysql.connector.connect(host="HOST",
                                       database="DB",
                                       user="USER",
                                       password="PWD")
    except Exception as e:
        print(e)
    return conn


def execute_query(query, params, fetchall=True):
    conn = create_conn()
    if conn:
        cursor = conn.cursor()
        cursor.execute(query % params)
        try:
            if fetchall:
                results = cursor.fetchall()
            else:
                results = cursor.fetchone()
        except:
            results = None
        conn.commit()
        cursor.close()
        conn.close()
        return results
    else:
        return False

The database connection used to work, and still works when I run it on my testing machine, a raspberry pi.

EDIT 2: requirements.txt:

aiohttp==3.6.3
async-timeout==3.0.1
attrs==20.3.0
CacheControl==0.12.6
cachetools==4.2.0
certifi==2020.12.5
cffi==1.14.4
chardet==3.0.4
click==7.1.2
cryptography==3.3.1
cssselect==1.1.0
cssutils==1.0.2
discord==1.0.1
discord-pretty-help==1.2.0
discord.py==1.6.0
emoji==0.6.0
Flask==1.1.2
google-api-core==1.24.1
google-api-python-client==1.12.8
google-auth==1.24.0
google-auth-httplib2==0.0.4
google-cloud-core==1.5.0
google-cloud-firestore==2.0.2
google-cloud-storage==1.35.0
google-crc32c==1.1.0
google-resumable-media==1.2.0
googleapis-common-protos==1.52.0
grpcio==1.34.0
gunicorn==20.0.4
httplib2==0.18.1
idna==2.8
importlib-metadata==3.3.0
itsdangerous==1.1.0
jeepney==0.6.0
Jinja2==2.11.2
keyring==21.8.0
lxml==4.6.2
MarkupSafe==1.1.1
msgpack==1.0.2
multidict==4.7.6
mysql-connector-python==8.0.22
numpy==1.19.4
pandas==1.1.5
premailer==3.7.0
proto-plus==1.13.0
protobuf==3.14.0
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.20
python-dateutil==2.8.1
python-dotenv==0.15.0
pytz==2020.4
requests==2.25.1
rsa==4.7
schedule==0.6.0
SecretStorage==3.3.0
six==1.15.0
typing-extensions==3.7.4.3
uritemplate==3.0.1
urllib3==1.26.2
Werkzeug==1.0.1
yagmail==0.14.245
yarl==1.5.1
zipp==3.4.0
Krishnan Shankar
  • 780
  • 9
  • 29
  • did yu checl with workbench or so if the connection cam be established also see if the server is running – nbk Jan 30 '21 at 19:48
  • have you upgraded OpenSSL .. check this out https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol – Yan Jan 30 '21 at 20:21
  • 1
    @Yan how are you supposed to upgrade OpenSSL if you use Heroku and ClearDB connected to a GitHub repository? – Krishnan Shankar Jan 30 '21 at 23:27
  • 1
    which stack are you using? Are you running on ruby stack? – thelovekesh Jan 31 '21 at 04:10
  • @KrishnanShankar hard to say but you've said that you've deleted a pipeline and running a standalone app. Is it possible the underlying OS version is different. Checkout this SO https://stackoverflow.com/questions/61649764/mysql-error-2026-ssl-connection-error-ubuntu-20-04 ... Might need to update config to set the minimum TLS version. – Yan Jan 31 '21 at 15:37
  • @Yan how are you supposed to do what the question says to do if you are on Heroku? Is there a way to access the `openssl.conf` file from Heroku? If so, please let me know how. I have just started using Heroku to host my bot about a month ago, and I am pretty new to the concept of hosting. Thank You for your help! – Krishnan Shankar Jan 31 '21 at 16:02
  • I am not very familiar how Heroku works but I am assuming that the issue is not with ssl configuration it's with the bot configuration that is connecting to the DB. What language is the bot written in and how do you connect to the DB – Yan Jan 31 '21 at 16:04
  • @Yan I am using discord.py. I will edit the question with my code that connects to the database in a few minutes – Krishnan Shankar Jan 31 '21 at 16:14
  • @KrishnanShankar, please [edit] your question and add your `requirements.txt` or `Pipfile` and `Pipfile.lock`. – ChrisGPT was on strike Feb 01 '21 at 23:46
  • @Chris i've added it! – Krishnan Shankar Feb 01 '21 at 23:49
  • @KrishnanShankar check this out https://stackoverflow.com/questions/59300128/set-and-verify-ssl-tls-version-used-in-python-mysql-connection .. Seems like mysql connector added an option to set tls-version. Can you try that? – Yan Feb 02 '21 at 21:22
  • Also in that SO post it shows how to get variables and get supported `tls-version` can you run `SHOW VARIABLES LIKE "%version%";` on MySQL server? – Yan Feb 02 '21 at 21:23
  • Here is what I get: https://ibb.co/JjCbvsD – Krishnan Shankar Feb 02 '21 at 21:49
  • what about settings `tls-version` when creating `mysql.connector.connect` connection? – Yan Feb 02 '21 at 22:25
  • What should I set `tls-version` to? – Krishnan Shankar Feb 02 '21 at 22:43
  • I set tls_version to v1, and now I'm getting a `no protocols available` error instead of an `unsupported protocol` error. Could it be that ClearDB only supports v1 of TLS which Heroku doesn't support anymore? Should I try re-creating my database? – Krishnan Shankar Feb 03 '21 at 01:25
  • you shouldn't set it to v1 it should definitely be higher. what if you set it to 1.2? Does that work? – Yan Feb 03 '21 at 12:48
  • If I set it to v1.2, it says `unsupported protocol`, and if I set it to v1 or v1.1 it says `no protocols available`. This makes me think it is a problem related to different protocol minimums and maximums across the two platforms: Heroku and ClearDB. – Krishnan Shankar Feb 04 '21 at 23:06
  • @KrishnanShankar seems that way. not sure why though. v1.2 has been out since 2008. Is it unsupported protocol error from python? Which OS are you running on heroku? – Yan Feb 05 '21 at 13:45
  • @Yan how am I supposed to figure out which OS I'm running on Heroku? – Krishnan Shankar Feb 05 '21 at 22:49
  • @KrishnanShankar not really sure .. it looks like it's based on the stack you are using heroku-18 vs heroku-20 https://devcenter.heroku.com/articles/stack – Yan Feb 06 '21 at 01:27
  • I am using heroku-20, should I switch back to heroku-18? – Krishnan Shankar Feb 06 '21 at 01:56
  • If I should switch back to heroku-18, is there a way to do that from the dashboard? I don't use Heroku CLI since I am connected through GitHub Push Requests. – Krishnan Shankar Feb 06 '21 at 02:15
  • take a look at this i think it will help https://serverfault.com/questions/1016796/cannot-conect-mysql-error-2026-after-upgrade-to-ubuntu-20-04 –  Feb 07 '21 at 14:43
  • `ssl_cipher` has no value according to the query: https://i.ibb.co/k3TJytb/Screenshot-2021-02-07-115444.png – Krishnan Shankar Feb 07 '21 at 16:55
  • Peter or @Yan feel free to post a question with our discussion above so I can award it the bounty, although I would prefer if you keep working with me on this to actually solve the issue. – Krishnan Shankar Feb 09 '21 at 00:06
  • @KrishnanShankar did you get it to work? – Yan Feb 09 '21 at 13:25
  • @Yan nope, not yet... however, if you could post a question with our conversation so I can award the bounty, that would be nice since it expires in 9 hours. You can still help me with it afterwards. – Krishnan Shankar Feb 09 '21 at 13:59

3 Answers3

2

Just in case you can turn of ssl by:

conn = mysql.connector.connect(host="HOST",
                                   database="DB",
                                   user="USER",
                                   password="PWD", 
                                   ssl_disabled=True)
Flair
  • 2,609
  • 1
  • 29
  • 41
Vinh TRAN
  • 52
  • 1
  • 5
0

i'm not quite sure how to do this, but i'm pretty sure you have to disable SSL for it to work, hope this helps.

  • It might work but not really solving the issue. Plus this is not secure and the credentials and data will be transferred in clear text – Yan Feb 06 '21 at 01:39
0

Clearly, you need to enforce an SSL connection between your app and MySQL.

If you are using ruby stack then follow the given options and your SSL error problem will be solved.

  • Download the CA, Client, and Private Key files from your ClearDB dashboard and place them in the root of the application’s filesystem.
  • Make sure you have OpenSSL installed, which you can find here for Unix/Linux/OS X and here for Windows. *Due to the MySQL client library configuration used on Heroku, you will need to strip the password from the private key file, which can be done like this:
$ openssl rsa -in cleardb_id-key.pem -out cleardb_id-key-no-password.pem

You can now delete the cleardb_id-key.pem and rename cleardb_id-key-no-password.pem to cleardb_id-key.pem, which you will use with your app.

*Set the DATABASE_URL config variable with the value of your modified CLEARDB_DATABASE_URL, like this:

$ heroku config:add DATABASE_URL="mysql2://abc1223:dfk243@us-cdbr-east.cleardb.com/my_heroku_db?
sslca=cleardb-ca-cert.pem&sslcert=cleardb_id-cert.pem&sslkey=cleardb_id-key.pem&reconnect=true"

notice how we added the “reconnect=true” parameters to the end of the URL? This is so that your application will automatically reconnect to ClearDB in the event of a connection timeout.

From here, simply restart your application (if Heroku didn’t already do that for you), and as long as you specified the correct file names and paths to the certificates in your DATABASE_URL, your app will now connect via SSL to ClearDB.

thelovekesh
  • 1,364
  • 1
  • 8
  • 22