Skip to main content

Comments

19 comments

  • cPanelLauren
    Hi @DennisMidjord That error typically indicates that you've used the wrong certificate when adding the certificate what did you add? Thanks!
    0
  • DennisMidjord
    I just followed the guide scrictly - even called the directory /mysql_keys.
    0
  • cPanelLauren
    But if you don't have mysql_keys that's not going to be relevant for you the note explains it: Note: In the following examples, /mysql_keys represents the key storage directory.
    If you created the certificates in the directory my assumption is that mysql may not be able to access it, where did you create it
    0
  • DennisMidjord
    Hi again, I know that the name of the directory doesn't matter, as soon as I just make it persistent. I did just choose to make the directory /mysql_keys, create and place the files in that folder and then run chown -Rf mysql. /mysql_keys
    to make sure mysql could read the files. I added the following to /etc/my.cnf: [mysqld] ... ... ssl-cipher=DHE-RSA-AES256-SHA ssl-ca=/mysql_keys/ca-cert.pem ssl-cert=/mysql_keys/server-cert.pem ssl-key=/mysql_keys/server-key.pem [client] ssl-cert=/mysql_keys/client-cert.pem ssl-key=/mysql_keys/client-key.pem
    After restarting MySQL, I't still doesn't seem to work.
    0
  • cPanelLauren
    Hi @DennisMidjord I think I'm being unclear and I apologize, the documentation doesn't note that the full path to mysql_keys needs to be called - it looks like you're just calling /mysql_keys in the my.cnf- what's the full path? That's what should be present in the my.cnf Thanks!
    0
  • DennisMidjord
    Hi @cPanelLauren The full path to the keys are /mysql_keys: [root@server11 ~]# ls -la /mysql_keys/ total 40 drwxr-xr-x 2 mysql mysql 4096 Oct 10 14:28 . dr-xr-xr-x. 20 root root 4096 Oct 10 14:12 .. -rw-r--r-- 1 mysql mysql 1419 Oct 10 14:27 ca-cert.pem -rw-r--r-- 1 mysql mysql 1675 Oct 10 14:27 ca-key.pem -rw-r--r-- 1 mysql mysql 1289 Oct 10 14:28 client-cert.pem -rw-r--r-- 1 mysql mysql 1679 Oct 10 14:29 client-key.pem -rw-r--r-- 1 mysql mysql 1094 Oct 10 14:28 client-req.pem -rw-r--r-- 1 mysql mysql 1289 Oct 10 14:28 server-cert.pem -rw-r--r-- 1 mysql mysql 1679 Oct 10 14:28 server-key.pem -rw-r--r-- 1 mysql mysql 1094 Oct 10 14:28 server-req.pem
    I'm not using .htaccess to do anything - it's as soon as I do a mysql command from SSH that it fails.
    0
  • cPanelLauren
    Hi @DennisMidjord This isn't the full path to /mysql_keys this is the contents of mysql_keys to get the full path you can run pwd
    From the mysql_keys directory I'm sorry I misspoke you need to put the full path in the my.cnf not just /mysql_keys
    0
  • DennisMidjord
    Hi, It really is the full path. Note the preciding slash ;-) [root@server11 mysql_keys]# pwd /mysql_keys The directory was created at the root of the disk, so the keys are actually in /mysql_keys/.
    0
  • cPanelLauren
    Hi @DennisMidjord The output here [root@server11 ~]# ls -la /mysql_keys/
    seems to insinuate you're in /root (root's homedir) not / so my assumption is you created /root/mysql_keys not /mysql_keys
    0
  • cPanelLauren
    Can you also run: mysql --skip-ssl show variables like '%ssl%';
    and provide the output? For your specific error as well I wonder, are you running MySQL or MariaDB? There is an issue with MariaDB and SSL Connections MariaDB SSL connection issues I haven't found anything as of yet for MySQL though I am curious if 5.7 is also experiencing issues - the version of MySQL here would be important
    0
  • DennisMidjord
    Hello @cPanelLauren Thanks for that link! I managed to get it working by not using the same informations for the two certificates.
    0
  • cPanelLauren
    HI @DennisMidjord Interesting! Can you tell me what you did? I wonder if that KB article needs to be updated now. Thanks!
    0
  • DennisMidjord
    Hi, Using diffferent information for the certificates was what fixed it for me.
    0
  • cPanelLauren
    Hi @DennisMidjord Meaning when you created the certificates you just created them with different details? This would make them inherently different from each other, which I find interesting.
    0
  • DennisMidjord
    Hello, Yes, that's correct. When entering the details for the client certificate, I just changed them up a bit from what I entered for the server certificate, and I worked immediately. [quote]The core of the issue, you've used exactly the same information both for the client and the server certificate (same country, organization, locality, etc). And OpenSSL doesn't like that.
    0
  • dandumit

    Hello,

    I have same issue , I cannot activate ssl connection on MariaDB. When checking certificates as requested (see below ) it gives me an error of self signed certificate

    openssl verify -CAfile /mysql_keys/ca-cert.pem /mysql_keys/server-cert.pem /mysql_keys/client-cert.pem
    0
  • cPRex Jurassic Moderator

    dandumit - it's usually best to create a new thread instead of replying to an older one - we'd hate to miss something!

    I'm not seeing the word "verify" in that docs page, so I can't say for sure where you got that command.

    0
  • dandumit

    Hello @... - thank you for reply. PRoblem it's that documentation provided does not work well for MariaDB  . Luckly with above forum thread I have found problems and explanations :

    1. MariaDB uses OpenSSL and lets it verify certificates. MySQL either uses YaSSL or OpenSSL and is sloppy about error checking. That's why your certificates used to work with MySQL and stopped working when you upgraded.

    then whas to be generated certificates and run below command until no error it's met. 

    • openssl verify -CAfile /mysql_keys/ca-cert.pem /mysql_keys/server-cert.pem /mysql_keys/client-cert.pem

    How to generate those certificates until no error ? 

    From link :

    https://stackoverflow.com/questions/19726138/openssl-error-18-at-0-depth-lookupself-signed-certificate

    I have followed 

    In this case you need to provide a different name each time and not to let it use the default value.

    For example:

    CA Cert: app-ca-cert.

    Server Cert: app-server-cert.

    Client Cert: app-client-cert.

    At the end I have run again openssl verify and I have managed to get them valid and I have activated SSL on MariaDB

     

    thank you,

    Daniel

    0
  • cPRex Jurassic Moderator

    Thanks for sharing the fix that you found!!

    0

Please sign in to leave a comment.