I have mariadb set up on my ubunutu 18.04 lts system.
I had a backup script working without a problem, but somewhere in updates it stopped working, but I didn't notice at first, because who watches backups when they've worked reliably for ages.
But now I've noticed that backups have stopped working, and when I try to emulate the start of the backup command I get the error:
ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain
using the command I've used without problem previously, suddenly gives an error.
$ mysql -u root -p################################ -N -e 'show databases'
ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain`
Even if I do a simply login I get the same error
$ mysql -u root -p
Enter password:
ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain
For a few months ago I didn't have any issues with running mysql on the server via command line. Somewhere updates must have changed this, but I don't know what changed it.
I really can't execute any meaningful command with mysql without it balking about the certificate chain.
My version:
$ mysql -V
mysql Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
When I connect from my work machine to the server with the certificate that's installed I have no issues connecting to the database. So the certificate works for the mysql server. It seems to be a pure command line mysql issue.
I've updated everything in apt-get and apt, there are 0 updates available.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Mar 3 16:20:40 GMT 2020
System load: 0.89 Processes: 209
Usage of /: 5.5% of 3.58TB Users logged in: 0
Memory usage: 12% IP address for eth0: ###.###.###.###
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
The /etc/mysql/my.cnf
# MariaDB-specific config file.
# Read by /etc/mysql/my.cnf
[client]
# Default is Latin1, if you need UTF-8 set this (also in server section)
#default-character-set = utf8
#ojiaergoijboij = halksjd
#nduks =- ksjdfljsd
[mysql]
ssl-ca=/etc/mysql/ssl/ca.pem
#ssl-cert=/etc/mysql/ssl/client-cert.pem
#ssl-key=/etc/mysql/ssl/client-key.pem
[mysqld]
#
# * Character sets
#
# Default is Latin1, if you need UTF-8 set all this (also in client section)
#
#character-set-server = utf8
#collation-server = utf8_general_ci
#character_set_server = utf8
#collation_server = utf8_general_ci
# Import all .cnf files from configuration directory
!includedir /etc/mysql/mariadb.conf.d/
innodb_flush_log_at_trx_commit=2
innodb_file_per_table=1
innodb_buffer_pool_size=8G
thread_cache_size=10
skip-name-resolve
#query_cache_type=1
#query_cache_limit=256k
#query_cache_min_res_unit=2k
#query_cache_size=80M
tmp_table_size=256M
max_heap_table_size=256M
query_cache_size=0
query_cache_type=0
ssl
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
When I verify the certificates they come out ok.
openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem
/etc/mysql/ssl/server-cert.pem: OK
/etc/mysql/ssl/client-cert.pem: OK
You have new mail in /var/mail/root
Is this something that I can solve with a mysql flag? Or is this something I need to solve in an openSSL settings?
I've tried googling, but the closest to the symptoms I could find was a question from 2012.
Best Answer
In the end, it was the most common of errors possible.
Human, more specifically me.
Previously, I had commented the client certificates from the my.cnf but somehow neglected to comment out the root certificate.
This triggered the error.
By commenting out the root certificate the problem was resolved. Perhaps previous versions of mariadb were more forgiving.