Mysql – SSL Configuration fails with a warning MySQL 8.0

mysql-8.0ssl

Hi I am trying to set up a MySQL server 8.0.16 on RHEL 7.5. The configuration I am willing to include for this server contains SSL related options.

The MySQL server is initialized but with a warning related to SSL, which is as follows:

mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql &

[root@BFLBRESRV03 ~]#  100
 100 200 300 400 500
 100 200 300 400 500
 100
2019-12-13T13:04:14.071486Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2019-12-13T13:04:14.071739Z 0 [System] [MY-013169] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server in progress as process 962
2019-12-13T13:04:19.318987Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
2019-12-13T13:04:19.498482Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: geY0lgrNZd+u
2019-12-13T13:04:20.958898Z 0 [System] [MY-013170] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server has completed

[1]+  Done                    mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql

[Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

The directory does not contain the ca.pem file but it does contain private_key.pem, and public_key.pem.

My options file contains following ssl configuration

[mysqld]

#       SSL     #

ssl-cipher                                          =               DHE-RSA-AES256-SHA

ssl_ca                                               =               /mysql_data/ssl-certs/ca.pem

ssl_cert                                             =               /mysql_data/ssl-certs/server-cert.pem

ssl_key                                             =               /mysql_data/ssl-certs/server-key.pem

require_secure_transport                 =               ON

tls_version                                        =               TLSv1.2

If I initialize the server without ssl-ca, ssl-cert, ssl-key options, the server is successfully initialized without any warnings and the data directory contains the files ca-key.pem, client-cert.pem, public_key.pem, server-key.pem, ca.pem, client-key.pem, private_key.pem, server-cert.pem.

Kindly help me understand what mistake I am doing. What is the warning about and why the ca.pem certificate file was not created?

Can I create the SSL certificates in directories other than data directory?

I know i can later create the certificates using openssl or mysql_ssl_rsa_setup.

https://serverfault.com/questions/839650/mysql-ssl-ssl-ctx-set-default-verify-paths-failed

My SELinux is in PERMISSIVE mode.

MySQL ssl setup failed

The directory for SSL certificates that I was using /mysql_data/ssl-certs is owned by mysql user and group.

Best Answer

It was a silly mistake.

I was referring to the certificates which didn't exist and I was using wrong directory name.

First, one must create the certificates, using mysql_ssl_rsa_setup/openssl and place them in the designated directory.

mysql_ssl_rsa_setup --datadir=/mysql_data/ssl_certs --uid=mysql

Use following configuration under the [mysqld] section

ssl-ca=/mysql_data/ssl_certs/ca.pem
ssl-key=/mysql_data/ssl_certs/server-key.pem
ssl-cert=/mysql_data/ssl_certs/server-cert.pem

Then initialise the database using

mysqld --defaults-file=/mysql_data/config/options.cnf --user=mysql --initialize

In my case even this did not work.

The mistake I was doing was using incorrect directory name; I was using /mysql_data/ssl-certs instead of the correct one /mysql_data/ssl_certs.

Related Question