Issues when configuring MariaDB with SSL
-
Hi @DennisMidjord That error typically indicates that you've used the wrong certificate when adding the certificate what did you add? Thanks! 0 -
I just followed the guide scrictly - even called the directory /mysql_keys. 0 -
But if you don't have mysql_keys that's not going to be relevant for you the note explains it: Note: In the following examples, /mysql_keys represents the key storage directory.
If you created the certificates in the directory my assumption is that mysql may not be able to access it, where did you create it0 -
Hi again, I know that the name of the directory doesn't matter, as soon as I just make it persistent. I did just choose to make the directory /mysql_keys, create and place the files in that folder and then run chown -Rf mysql. /mysql_keys
to make sure mysql could read the files. I added the following to /etc/my.cnf:[mysqld] ... ... ssl-cipher=DHE-RSA-AES256-SHA ssl-ca=/mysql_keys/ca-cert.pem ssl-cert=/mysql_keys/server-cert.pem ssl-key=/mysql_keys/server-key.pem [client] ssl-cert=/mysql_keys/client-cert.pem ssl-key=/mysql_keys/client-key.pem
After restarting MySQL, I't still doesn't seem to work.0 -
Hi @DennisMidjord I think I'm being unclear and I apologize, the documentation doesn't note that the full path to mysql_keys needs to be called - it looks like you're just calling /mysql_keys in the my.cnf- what's the full path? That's what should be present in the my.cnf Thanks! 0 -
Hi @cPanelLauren The full path to the keys are /mysql_keys: [root@server11 ~]# ls -la /mysql_keys/ total 40 drwxr-xr-x 2 mysql mysql 4096 Oct 10 14:28 . dr-xr-xr-x. 20 root root 4096 Oct 10 14:12 .. -rw-r--r-- 1 mysql mysql 1419 Oct 10 14:27 ca-cert.pem -rw-r--r-- 1 mysql mysql 1675 Oct 10 14:27 ca-key.pem -rw-r--r-- 1 mysql mysql 1289 Oct 10 14:28 client-cert.pem -rw-r--r-- 1 mysql mysql 1679 Oct 10 14:29 client-key.pem -rw-r--r-- 1 mysql mysql 1094 Oct 10 14:28 client-req.pem -rw-r--r-- 1 mysql mysql 1289 Oct 10 14:28 server-cert.pem -rw-r--r-- 1 mysql mysql 1679 Oct 10 14:28 server-key.pem -rw-r--r-- 1 mysql mysql 1094 Oct 10 14:28 server-req.pem
I'm not using .htaccess to do anything - it's as soon as I do a mysql command from SSH that it fails.0 -
Hi @DennisMidjord This isn't the full path to /mysql_keys this is the contents of mysql_keys to get the full path you can run pwd
From the mysql_keys directory I'm sorry I misspoke you need to put the full path in the my.cnf not just /mysql_keys0 -
Hi, It really is the full path. Note the preciding slash ;-) [root@server11 mysql_keys]# pwd /mysql_keys The directory was created at the root of the disk, so the keys are actually in /mysql_keys/. 0 -
Hi @DennisMidjord The output here [root@server11 ~]# ls -la /mysql_keys/
seems to insinuate you're in /root (root's homedir) not / so my assumption is you created /root/mysql_keys not /mysql_keys0 -
Can you also run: mysql --skip-ssl show variables like '%ssl%';
and provide the output? For your specific error as well I wonder, are you running MySQL or MariaDB? There is an issue with MariaDB and SSL Connections MariaDB SSL connection issues I haven't found anything as of yet for MySQL though I am curious if 5.7 is also experiencing issues - the version of MySQL here would be important0 -
Hello @cPanelLauren Thanks for that link! I managed to get it working by not using the same informations for the two certificates. 0 -
HI @DennisMidjord Interesting! Can you tell me what you did? I wonder if that KB article needs to be updated now. Thanks! 0 -
Hi, Using diffferent information for the certificates was what fixed it for me. 0 -
Hi @DennisMidjord Meaning when you created the certificates you just created them with different details? This would make them inherently different from each other, which I find interesting. 0 -
Hello, Yes, that's correct. When entering the details for the client certificate, I just changed them up a bit from what I entered for the server certificate, and I worked immediately. [quote]The core of the issue, you've used exactly the same information both for the client and the server certificate (same country, organization, locality, etc). And OpenSSL doesn't like that. 0 -
Hello,
I have same issue , I cannot activate ssl connection on MariaDB. When checking certificates as requested (see below ) it gives me an error of self signed certificate
openssl verify -CAfile /mysql_keys/ca-cert.pem /mysql_keys/server-cert.pem /mysql_keys/client-cert.pem
0 -
dandumit - it's usually best to create a new thread instead of replying to an older one - we'd hate to miss something!
I'm not seeing the word "verify" in that docs page, so I can't say for sure where you got that command.
0 -
Hello @... - thank you for reply. PRoblem it's that documentation provided does not work well for MariaDB . Luckly with above forum thread I have found problems and explanations :
1. MariaDB uses OpenSSL and lets it verify certificates. MySQL either uses YaSSL or OpenSSL and is sloppy about error checking. That's why your certificates used to work with MySQL and stopped working when you upgraded.
then whas to be generated certificates and run below command until no error it's met.
-
openssl verify -CAfile /mysql_keys/ca-cert.pem /mysql_keys/server-cert.pem /mysql_keys/client-cert.pem
How to generate those certificates until no error ?
From link :
I have followed
In this case you need to provide a different name each time and not to let it use the default value.
For example:
CA Cert: app-ca-cert.
Server Cert: app-server-cert.
Client Cert: app-client-cert.At the end I have run again openssl verify and I have managed to get them valid and I have activated SSL on MariaDB
thank you,
Daniel
0 -
-
Thanks for sharing the fix that you found!!
0
Please sign in to leave a comment.
Comments
19 comments