MySQL Forums
Forum List  »  Security

Re: Unable to SSL i
Posted by: Georgi Kodinov
Date: September 13, 2021 01:50AM

I think I've found the culprit. Looks like your CA certificate is either not present or is is not valid, as exemplified by the following error:

2021-09-12T01:20:46.281999Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2021-09-12T01:20:46.282220Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

Please check if you actually have /etc/certs/ca.pem and if it's a valid CA certificate that is used to sign the server cert.

This is what a valid (mysqld auto-generated) self-signed certificate looks on my box:

C:\Users\GKODINOV\dev\mysql-8.0\bld\x>openssl x509 -in ca.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = MySQL_Server_8.0.28_Auto_Generated_CA_Certificate
Validity
Not Before: Sep 10 14:08:16 2021 GMT
Not After : Sep 8 14:08:16 2031 GMT
Subject: CN = MySQL_Server_8.0.28_Auto_Generated_CA_Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e5:90:13:fb:9b:80:bd:5d:a0:8e:32:1d:d9:4c:
ae:ea:22:2c:d1:e8:0e:85:be:3e:55:66:ba:2e:4c:
5c:10:a8:4b:5a:b6:8a:b0:0c:77:4b:57:25:6b:e4:
0d:25:0d:f8:f5:34:f3:52:b0:44:d3:9c:24:1f:a9:
c3:c1:45:de:5c:5b:29:33:ce:3f:5e:01:aa:56:93:
e6:0c:4b:fc:ef:35:79:98:d9:91:c1:99:7e:7c:ef:
6d:28:ec:51:4c:0c:a1:0f:f7:e6:5b:6c:36:cc:ac:
a3:86:ab:c0:d0:44:0a:17:3e:b8:1a:5e:e6:44:00:
67:c0:a2:15:a7:47:cf:a4:b0:e0:b4:4d:65:df:63:
ee:aa:6c:95:00:c6:9a:eb:ed:67:8f:73:e8:24:81:
8f:1a:c0:59:51:38:64:c9:41:fd:c1:a1:4d:94:1d:
b7:74:27:ba:3b:31:98:5c:5c:fd:dd:7f:a6:cb:f0:
7b:21:65:79:03:5d:96:e8:d1:f6:0e:1f:e5:93:dc:
75:ff:87:41:e4:fc:a7:a4:a3:4d:8a:e7:ba:c4:cb:
b6:63:23:92:dc:6e:25:19:1c:10:89:d9:ba:95:c4:
84:76:91:73:08:f6:cc:fd:a4:99:eb:f9:05:2b:9f:
9b:70:e9:b5:aa:99:fc:31:11:a8:b9:a2:80:c5:e3:
c4:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
c8:03:e3:e3:92:36:f2:c6:66:28:65:d2:04:49:08:57:c7:f3:
dc:8b:2a:14:86:2b:b1:48:91:f1:74:c3:e4:e3:aa:42:29:90:
fa:ed:b5:64:97:c8:55:0f:60:1c:86:5e:ea:45:be:6e:b8:87:
5b:77:af:d7:30:f1:69:01:d4:fb:18:67:61:70:ae:58:66:30:
55:86:a5:2b:fd:48:bb:c4:d8:51:72:8d:af:fd:6c:bb:9e:26:
bd:7c:8d:2c:f9:9c:7d:5a:08:37:3d:d4:b8:7e:20:47:df:78:
fc:ef:2e:76:c7:ae:bf:88:a8:68:e6:59:34:31:85:c1:86:6b:
96:70:1b:a0:cb:87:b5:51:7b:88:4a:27:1d:26:8a:55:e7:cb:
01:7f:cb:82:0d:48:94:b6:8e:3c:9f:8e:86:d9:e9:27:13:85:
7f:a3:78:91:51:1e:b0:6f:a3:74:95:4f:0a:f6:05:23:ee:d0:
72:f9:c6:3f:ac:ab:56:cf:b8:cc:9b:27:3a:cb:88:4f:08:ab:
fd:e0:81:f2:17:f5:57:69:30:a7:6f:9b:d4:2a:3b:a5:d9:68:
a6:83:2f:55:b7:c1:d9:06:6e:81:b3:db:6d:e5:8b:7d:ee:4f:
ef:bc:4a:eb:dc:14:fa:1d:31:5c:63:78:4b:ee:ba:af:4f:f4:
5a:7b:9d:f9

Another suggestion is to consider leaving the mysqld ssl configuration to its defaults (and allowing the server to auto-generate the certs). It's currently disabled, as show by the following line in the log:

2021-09-12T01:20:46.280945Z 0 [Note] [MY-010303] [Server] Skipping generation of SSL certificates as options related to SSL are specified.

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote


Subject
Views
Written By
Posted
849
September 10, 2021 10:54PM
437
September 11, 2021 04:27AM
959
September 11, 2021 07:24PM
Re: Unable to SSL i
753
September 13, 2021 01:50AM
516
September 14, 2021 10:30PM
448
September 15, 2021 01:23AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.