Results 1 to 10 of 10

Thread: mysql ssl won't enable

Hybrid View

  1. #1
    Join Date
    Apr 2009
    Beans
    7

    Talking [solved] mysql ssl won't enable

    I'm trying to get SSL enabled for MySQL on one of my servers. I have it enabled on my other server and it was easy enough to do. But for whatever reason, mysqld on this server just won't cooperate. Here's what

    Code:
    show variables like "%ssl%";
    gives me:
    Code:
    +---------------+-----------------------+
    | Variable_name | Value                 |
    +---------------+-----------------------+
    | have_openssl  | DISABLED              |
    | have_ssl      | DISABLED              |
    | ssl_ca        | /etc/mysql/ca.crt     |
    | ssl_capath    |                       |
    | ssl_cert      | /etc/mysql/server.crt |
    | ssl_cipher    | DHE-RSA-AES256-SHA    |
    | ssl_key       | /etc/mysql/server.key |
    +---------------+-----------------------+
    I've tried verifying my certificate:
    Code:
    $ openssl verify -verbose  -CAfile ca.crt server.crt
    server.crt: OK
    And I've tried copying the keys and ssl config to the other server (it works).

    Here's the relevant section of my.cnf:
    Code:
    #ssl
    ssl-ca=/etc/mysql/ca.crt
    ssl-cert=/etc/mysql/server.crt
    ssl-key=/etc/mysql/server.key
    ssl-cipher=DHE-RSA-AES256-SHA
    I've tried uncommenting the top "ssl" line but it has no effect. I know this will turn out to be some silly little thing that's been staring me in the face, and any hints, tips, or trick will be greatly appreciated.
    Last edited by reverendryan; April 10th, 2009 at 06:47 PM.

  2. #2
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: mysql ssl won't enable

    Have a look in the mysql log or post relevant parts here. If it's failing then there should be reasons logged there.

  3. #3
    Join Date
    Apr 2009
    Beans
    7

    Re: mysql ssl won't enable

    I'd been watching /var/log/mysql.err and it's always been empty, but I just noticed a comment in my.cnf saying it would be in the syslog...

    Here's what I found:
    Code:
    localhost mysqld[14787]: SSL error: Unable to get certificate from '/etc/mysql/server.crt'
    localhost mysqld[14787]: 090409 22:36:59 [Warning] Failed to setup SSL
    localhost kernel: [12505738.400344] audit(1239340107.624:15): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/etc/mysql/ca.crt" pid=14206 profile="/usr/sbin/mysqld" namespace="default"
    localhost kernel: [12506321.504917] audit(1239340691.683:18): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/etc/mysql/server.crt" pid=14406 profile="/usr/sbin/mysqld" namespace="default"
    My first thought was that it's a permissions problem, but I don't think so:
    Code:
    $ ls -lZ ca.crt server.crt
    -rw-r--r--  1 mysql users ? 2431 2009-03-29 00:23 ca.crt
    -rw-r--r--  1 mysql users ? 2049 2009-03-29 00:23 server.crt
    The error almost sounds like an SELinux context issue, but SELinux doesn't seem to be installed.
    Last edited by reverendryan; April 10th, 2009 at 05:36 PM. Reason: took dates out of syslog, made it easier to read.

  4. #4
    Join Date
    Apr 2009
    Beans
    7

    [solved] Re: mysql ssl won't enable

    Turns out it was apparmor that was doing it.

    Here's my /etc/apparmor.d/usr.sbin.mysqld, my changes bolded

    Code:
    /usr/sbin/mysqld {
      #include <abstractions/base>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
      #include <abstractions/mysql>
    
      capability dac_override,
      capability setgid,
      capability setuid,
    
      /etc/hosts.allow r,
      /etc/hosts.deny r,
    
      /etc/group              m,
      /etc/passwd             m,
    
      /etc/mysql/*.pem r,
      /etc/mysql/*.crt r,
      /etc/mysql/*.key r,
      /etc/mysql/conf.d/ r,
      /etc/mysql/conf.d/* r,
      /etc/mysql/my.cnf r,
      /usr/sbin/mysqld mr,
      /usr/share/mysql/** r,
      /var/lib/mysql/ r,
      /var/lib/mysql/** rwk,
      /var/log/mysql/ r,
      /var/log/mysql/* rw,
      /var/run/mysqld/mysqld.pid w,
      /var/run/mysqld/mysqld.sock w,
    }

  5. #5
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: [solved] Re: mysql ssl won't enable

    I wonder if that's something new. I've always put my certs in /var/local/ssl/certs and never had any apparmor issues. This could just because you wanted to put them in /etc/mysql and that's now protected. I don't know much about apparmor so just guessing.

  6. #6
    Join Date
    Dec 2009
    Beans
    1
    Distro
    Ubuntu Studio 9.04 Jaunty Jackalope

    Re: mysql ssl won't enable

    I had the same problem and found the ssl-cipher setting I was using was the problem. I'm posting in case anyone else runs into this problem.

    Code:
    show variables like "%ssl%";
    for me also resulted in:

    Code:
    +---------------+----------------------------+
    | Variable_name | Value                      |
    +---------------+----------------------------+
    | have_openssl  | DISABLED                   |
    | have_ssl      | DISABLED                   |
    | ssl_ca        | /etc/mysql/ca-cert.pem     |
    | ssl_capath    |                            |
    | ssl_cert      | /etc/mysql/server-cert.pem |
    | ssl_cipher    | ALL                        |
    | ssl_key       | /etc/mysql/server-key.pem  |
    +---------------+----------------------------+
    Out of desperation I commented out different combinations of the ssl-* settings. When I commented out the ssl-cipher=ALL line (which I copied from MySQL.com), lo and behold SSL works.

    My current settings (note commented out ssl-cipher=ALL
    Code:
    [mysqld]
    ...
    ssl-ca=/etc/mysql/ca-cert.pem
    ssl-cert=/etc/mysql/server-cert.pem
    ssl-key=/etc/mysql/server-key.pem
    #ssl-cipher=ALL
    My current show variables like "%ssl%" results:

    Code:
    +---------------+----------------------------+
    | Variable_name | Value                      |
    +---------------+----------------------------+
    | have_openssl  | YES                        |
    | have_ssl      | YES                        |
    | ssl_ca        | /etc/mysql/ca-cert.pem     |
    | ssl_capath    |                            |
    | ssl_cert      | /etc/mysql/server-cert.pem |
    | ssl_cipher    |                            |
    | ssl_key       | /etc/mysql/server-key.pem  |
    +---------------+----------------------------+

  7. #7
    Join Date
    Oct 2009
    Location
    Tripoli, Libya
    Beans
    12
    Distro
    Kubuntu 10.10 Maverick Meerkat

    Re: [solved] Re: mysql ssl won't enable

    In my case it was apparmor, and my certificates was placed in sub folder, so I added the
    Code:
    full path:
    /etc/mysql/sub/*.pem r,
      /etc/mysql/sub/*.crt r,
      /etc/mysql/sub/*.key r,
    Also, I don't have ssl-cipher in my.cnf

    Thank you

  8. #8
    Join Date
    Jul 2011
    Beans
    5

    Re: mysql ssl won't enable

    I had the exact same problem, rather than editing the apparmor config, I moved the .pem files to /etc/mysql and it works.
    Last edited by kedaar; September 26th, 2011 at 07:28 PM.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •