MySQL SSL Config Errors
I'm trying to set up SSL on my MySQL server using the instructions found here -
https://docs.cpanel.net/knowledge-base/security/how-to-configure-mysql-ssl-connections/
But when I restart MySQL, the logs show ...
[Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
[Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'
I've repeated the steps a couple of times now to make sure I didn't miss anything, double-checked the paths and made sure to chown the files so that mysql owns them, but the result is always the same.
Does anyone know how I can resolve these errors?
-
Hey there! I was able to get this working properly by following the directions on a test machine. Do you see any errors when checking the paths of the configuration files mentioned in the my.cnf file? This handy script will check them for you and report errors:
for f in $(grep pem /etc/my.cnf | awk -F= '{ print $2 }' ); do ls -lha $f; donebut that error message generally indicates a path error or ownership/permissions issue.
0 -
I had to modify the script to match the location of my MySQL configuration file, but it returns the correct file locations and mysql is the owner of the files.
# for f in $(grep pem /etc/mysql/mysql.conf.d/mysqld.cnf | awk -F= '{ print $2 }' ); do ls -lha $f; done
-rw-r--r-- 1 mysql mysql 1.6K Feb 23 11:24 /mysql_keys/ca-cert.pem
-rw-r--r-- 1 mysql mysql 1.4K Feb 23 11:27 /mysql_keys/server-cert.pem
-rw------- 1 mysql mysql 1.7K Feb 23 11:27 /mysql_keys/server-key.pem
-rw-r--r-- 1 mysql mysql 1.4K Feb 23 11:29 /mysql_keys/client-cert.pem
-rw------- 1 mysql mysql 1.7K Feb 23 11:29 /mysql_keys/client-key.pemCould it be that mysql needs write permissions on the server-key.pem and client-key.pem files for some reason?
0 -
Could you get me some more details about that server's configuration? I've never seen a MySQL configuration path like that on a cPanel machine, as that is traditionally just /etc/my.cnf, both on AlmaLinux and Ubuntu.
But no, those permissions are the same as the one on my test system:
# for f in $(grep pem /etc/my.cnf | awk -F= '{ print $2 }' ); do ls -lha $f; done
-rw-r--r-- 1 mysql mysql 1.5K Feb 23 19:45 /var/lib/mysql/mysql_keys/ca-cert.pem
-rw-r--r-- 1 mysql mysql 1.4K Feb 23 19:47 /var/lib/mysql/mysql_keys/server-cert.pem
-rw------- 1 mysql mysql 1.7K Feb 23 19:47 /var/lib/mysql/mysql_keys/server-key.pem
-rw-r--r-- 1 mysql mysql 1.4K Feb 23 19:48 /var/lib/mysql//mysql_keys/client-cert.pem
-rw------- 1 mysql mysql 1.7K Feb 23 19:48 /var/lib/mysql/mysql_keys/client-key.pem0 -
It's Ubuntu 22.04.5
MySQL version: 8.0.41-0There's a /etc/mysql/my.cnf file which includes the following file/folder -
/etc/mysql/mysql.conf.d/mysqld.cnf
/etc/mysql/conf.d/I put the changes directly into /etc/mysql/mysql.conf.d/mysqld.cnf because it contains the [
mysqld] section0 -
I don't believe those configuration files are going to be valid, but we can confirm this with the following command:
/usr/sbin/mysqld --verbose --help | grep -A 1 "Default options"We're looking for this section of output, as it may show other sections of the MySQL error log that won't be relevant here:
Default options are read from the following files in the given order:
/etc/my.cnf /etc/mysql/my.cnf ~/.my.cnfIf your output is similar, you'll need to use the main /etc/my.cnf for all the changes, and undo any changes to those other files you mention.
0 -
The output is -
Default options are read from the following files in the given order:
/etc/my.cnf /etc/mysql/my.cnf ~/.my.cnfThe file /etc/my.cnf, doesn't exist, so I would need to create it.
/etc/mysql/my.cnf does exist though, do you think it would be ok to add the ssl config there?
0 -
Yes, try /etc/mysql/my.cnf and see if that gets things working! You may need to create the [mysqld] or [client] sections as outlined. Below is what my configuration looks like on a test server:
#
# This group is read both by the client and the server
# use it for options that affect everything
#
[client-server]#
# include *.cnf from the config directory
#
!includedir /etc/my.cnf.d[mysqld]
log-error=/var/lib/mysql/10-2-68-194.cprapid.com.err
performance-schema=0
innodb_buffer_pool_size=126877696
max_allowed_packet=268435456
open_files_limit=40000
innodb_file_per_table=1
plugin-load-add=auth_socket.so
unix_socket=OFF
ssl
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/var/lib/mysql/mysql_keys/ca-cert.pem
ssl-cert=/var/lib/mysql/mysql_keys/server-cert.pem
ssl-key=/var/lib/mysql/mysql_keys/server-key.pem
[client]
ssl-mode=REQUIRED
ssl-cert=/var/lib/mysql//mysql_keys/client-cert.pem
ssl-key=/var/lib/mysql/mysql_keys/client-key.pem0 -
Thanks, I'll give it go outside of business hours and let you know how it goes.
0 -
I tried it in the /etc/mysql/my.cnf file, no errors in the mysql log!
Log says
2025-02-24T08:29:25.922871Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2025-02-24T08:29:25.922906Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.But my PHP applications still crash.
At least that's some progress.
0 -
That's good to hear - at least the MySQL side of things are working normally now!
You'll want to check the main Apache log at /etc/apache2/logs/error_log to see why the PHP applications are experiencing issues.
0 -
I ran up a dummy database on my cPanel web server, configured it for SSL and could connect straight away with MySQLi and after changing the hostname to 127.0.0.1 I could connect with PDO.
So I just have to work out why I can't get the same results using my production database server.
1
Please sign in to leave a comment.
Comments
11 comments