Home / server / Questions / 417390
Accepted
usr-local-ΕΨΗΕΛΩΝ
Asked: 2012-08-15 06:42:35 +0800 CST

Cannot setup MySQL SSL: unable to read certificate

  • 772

I want to enable MySQL SSL. I have all the certificates and keys in /etc/ssl/private/myhost. They are also (successfully) used by Apache2.

I don't have SELinux or AppArmor running.

I configured my.cnf as follows

#ssl
ssl-ca=/etc/ssl/private/myhost/myhost.ca_bundle
ssl-cert=/etc/ssl/private/myhost/myhost.crt
ssl-key=/etc/ssl/private/myhost/myhost.key
ssl-cipher=DHE-RSA-AES256-SHA

I have set permissions so that users in the ssl-private group can read the files, and added all required daemons (ie. wwwrun, mysql, postfix) to that group. Permissions look like follows

myhost:/etc/ssl/private/myhost # l
total 32K
drwxr-xr-x 2 root ssl-private 4,0K lug 14 13:11 .
drwxrwx--- 4 root ssl-private 4,0K lug 14 12:32 ..
-rw-r--r-- 1 root ssl-private 1,5K mag 30  2000 AddTrustExternalCARoot.crt
-rw-r--r-- 1 root ssl-private 3,3K lug 14 13:11 myhost.ca_bundle
-rw-r--r-- 1 root ssl-private 2,1K lug 13 22:00 myhost.crt
-rw-r--r-- 1 root ssl-private 1,8K lug 14 12:41 myhost.csr
-rw-r----- 1 root ssl-private 3,2K lug 14 12:36 myhost.key
-rw-r--r-- 1 root ssl-private 1,8K feb 15 23:00 PositiveSSLCA2.crt

I also copied and pasted path of certificate file from my.cnf into command sudo -u mysql cat /etc/ssl/private/myhost/myhost.crt and it displayed my certificate. The same command worked for the key.

But finally when I start MySQL I get the following error:

SSL error: Unable to get certificate from '/etc/ssl/private/myhost/myhost.crt'
120814 14:20:37 [Warning] Failed to setup SSL
120814 14:20:37 [Warning] SSL error: Unable to get certificate

How can I fix that?

mysql

1 Answers

  1. Best Answer

    The problem lies in file ownership. I have seen the same with dkimproxy and have been able to resolve for that specific application.

    Since the SSL certificates directory is owned by group ssl-private and since mysqld-safe runs as mysql group, Linux won't allow reading the private key. With dkim I successfully forced the program to run as a different group by editing the init script.

    Solution 1 (fastest)

    Make a copy of the certificates/keys directory and chown to mysql:mysql. Requires to synchronize the copies of the keys at every renewal. Perfectly scalable across applications and number of servers (suppose the same certificate is used by other apps too, for example Postfix) as soon as one updates the certificates with a script or a checklist (so you won't forget to copy certificates to a certain app)

    Option 2

    Ask on superuser.com :) how to share the same files between multiple groups

    • 3