- CentOS 7.2.1511
- Linux 3.10.0-123.9.3.el7.x86_64
- MariaDB: 10.1.11
/etc/my.cnf
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
[mysqld]
ssl
ssl-ca = /root/ca.pem
ssl-cert = /root/server-cert.pem
ssl-key = /root/server-key.pem
bind-address = 0.0.0.0
port = 3306
max_allowed_packet = 16M
[mysqldump]
max_allowed_packet = 16M
I started mariadb with command:
systemctl start mysql
Then I login mysql with root typed status
shows SSL Not in use
. Then I typed
show variables like '%ssl%';
And I get a table:
+---------------------+---------------------------------+
| Variable_name | Value |
+---------------------+---------------------------------+
| have_openssl | YES |
| have_ssl | DISABLED |
| ssl_ca | /root/ca.pem |
| ssl_capath | |
| ssl_cert | /root/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /root/server-key.pem |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+---------------------------------+
At last I even tried to login with ssl and it failed obviously.
UPDATE
Here are some warning messages in the error log file:
[Warning] Failed to setup SSL
[Warning] SSL error: SSL_CTX_set_default_verify_paths failed
[Warning] SSL error: error:0200100D:system library:fopen:Permission denied
[Warning] SSL error: error:2006D002:BIO_new_file:system lib
[warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Best Answer
MariaDB is not allowed to access files in root's home directory
/root
. Thus, the CA, certificate and private key files are unreadable.The standard locations for these files on RHEL are in directories under
/etc/pki
:/etc/pki/CA
,/etc/pki/tls/certs
and/etc/pki/tls/private
. If you copy them here, and set the proper ownership and permissions so that MariaDB can read them, you will find that it works. Alternately, you can place the certificates and private key file in a subdirectory of/etc/mysql
.