Re: Enable SSL Connection
Posted by:
Samson Lin
Date: September 19, 2019 02:14AM
I followed your suggestion and used 'mysql_ssl_rsa_setup' to generate the server cert.
# cd /etc/certs
# rm -f *
# /usr/bin/mysql_ssl_rsa_setup --datadir /etc/certs
Generating a 2048 bit RSA private key
************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************+++++
************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************+++++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
****************************************************************************************************************************************************+++++
*************+++++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
********************************************************************************************************************************************************+++++
***************************************************************************************************************************************************************************************************************************************************************************************************************************************+++++
writing new private key to 'client-key.pem'
-----
As all certificates and keys are owned by root, I changed the user and group ownership to 'mysql':
# chmod mysql:mysql *
# ll
total 32
-rw-r--r--. 1 mysql mysql 1196 Sep 18 17:34 ca-cert.pem
-rw-------. 1 mysql mysql 1704 Sep 18 17:33 ca-key.pem
-rw-r--r--. 1 mysql mysql 1103 Sep 18 17:40 client-cert.pem
-rw-r--r--. 1 mysql mysql 1704 Sep 18 17:39 client-key.pem
-rw-r--r--. 1 mysql mysql 976 Sep 18 17:39 client-req.pem
-rw-r-----. 1 mysql mysql 1082 Sep 18 17:37 server-cert.pem
-rw-r-----. 1 mysql mysql 1704 Sep 18 17:37 server-key.pem
-rw-r-----. 1 mysql mysql 956 Sep 18 17:35 server-req.pem
Then I verified the server cert and key. They have the same modulus:
# openssl x509 -noout -modulus -in server-cert.pem | md5sum
069202bb3fc797a50060100c070695f3 -
# openssl rsa -noout -modulus -in server-key.pem | md5sum
069202bb3fc797a50060100c070695f3 -
I updated my.cnf as follows:
[mysqld]
ssl-ca=/etc/certs/ca.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
Then I restarted mysqld:
# systemctl restart mysqld
From /var/log/mysqld.log, I still found the following error messages:
.....
2019-09-19T08:05:26.828625Z 0 [ERROR] SSL error: Unable to get private key from '/etc/certs/server-key.pem'
2019-09-19T08:05:26.828654Z 0 [Warning] Failed to set up SSL because of the following SSL library error: Unable to get private key
.....
Subject
Views
Written By
Posted
2293
September 18, 2019 04:04AM
457
September 18, 2019 04:14AM
490
September 18, 2019 04:28AM
610
September 18, 2019 05:29AM
587
September 19, 2019 01:33AM
Re: Enable SSL Connection
1048
September 19, 2019 02:14AM
612
September 19, 2019 02:21AM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.