Issues when configuring MariaDB with SSL

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
But if you don't have mysql_keys that's not going to be relevant for you the note explains it:

Code:
Note:

In the following examples, /mysql_keys represents the key storage directory.
If you created the certificates in the directory my assumption is that mysql may not be able to access it, where did you create it
 

DennisMidjord

Well-Known Member
Sep 27, 2016
264
35
28
Denmark
cPanel Access Level
Root Administrator
Hi again,

I know that the name of the directory doesn't matter, as soon as I just make it persistent.
I did just choose to make the directory /mysql_keys, create and place the files in that folder and then run
Code:
chown -Rf mysql. /mysql_keys
to make sure mysql could read the files.
I added the following to /etc/my.cnf:
Code:
[mysqld]
...
...
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/mysql_keys/ca-cert.pem
ssl-cert=/mysql_keys/server-cert.pem
ssl-key=/mysql_keys/server-key.pem

[client]
ssl-cert=/mysql_keys/client-cert.pem
ssl-key=/mysql_keys/client-key.pem
After restarting MySQL, I't still doesn't seem to work.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
Hi @DennisMidjord

I think I'm being unclear and I apologize, the documentation doesn't note that the full path to mysql_keys needs to be called - it looks like you're just calling /mysql_keys in the my.cnf- what's the full path? That's what should be present in the my.cnf

Thanks!
 
Last edited:

DennisMidjord

Well-Known Member
Sep 27, 2016
264
35
28
Denmark
cPanel Access Level
Root Administrator
Hi @cPanelLauren
The full path to the keys are /mysql_keys:
Code:
[[email protected] ~]# ls -la /mysql_keys/
total 40
drwxr-xr-x   2 mysql mysql 4096 Oct 10 14:28 .
dr-xr-xr-x. 20 root  root  4096 Oct 10 14:12 ..
-rw-r--r--   1 mysql mysql 1419 Oct 10 14:27 ca-cert.pem
-rw-r--r--   1 mysql mysql 1675 Oct 10 14:27 ca-key.pem
-rw-r--r--   1 mysql mysql 1289 Oct 10 14:28 client-cert.pem
-rw-r--r--   1 mysql mysql 1679 Oct 10 14:29 client-key.pem
-rw-r--r--   1 mysql mysql 1094 Oct 10 14:28 client-req.pem
-rw-r--r--   1 mysql mysql 1289 Oct 10 14:28 server-cert.pem
-rw-r--r--   1 mysql mysql 1679 Oct 10 14:28 server-key.pem
-rw-r--r--   1 mysql mysql 1094 Oct 10 14:28 server-req.pem
I'm not using .htaccess to do anything - it's as soon as I do a mysql command from SSH that it fails.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
Hi @DennisMidjord


This isn't the full path to /mysql_keys this is the contents of mysql_keys to get the full path you can run


Code:
pwd
From the mysql_keys directory


I'm sorry I misspoke you need to put the full path in the my.cnf not just /mysql_keys
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
Hi @DennisMidjord

The output here
Code:
[[email protected] ~]# ls -la /mysql_keys/
seems to insinuate you're in /root (root's homedir) not / so my assumption is you created /root/mysql_keys not /mysql_keys
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
Can you also run:

Code:
mysql --skip-ssl
show variables like '%ssl%';
and provide the output?

For your specific error as well I wonder, are you running MySQL or MariaDB? There is an issue with MariaDB and SSL Connections MariaDB SSL connection issues

I haven't found anything as of yet for MySQL though I am curious if 5.7 is also experiencing issues - the version of MySQL here would be important
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
Hi @DennisMidjord

Meaning when you created the certificates you just created them with different details? This would make them inherently different from each other, which I find interesting.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
264
35
28
Denmark
cPanel Access Level
Root Administrator
Hello,

Yes, that's correct. When entering the details for the client certificate, I just changed them up a bit from what I entered for the server certificate, and I worked immediately.
The core of the issue, you've used exactly the same information both for the client and the server certificate (same country, organization, locality, etc). And OpenSSL doesn't like that.
 
  • Like
Reactions: cPanelLauren