Tim Dunphy wrote:
The mysqld process runs as the mysql user. It's parent which is the mysqld_safe runs as the root user. That being said the mysql user needs to have at least read permission to the locations where the ssl
files
are located. By default on Centos the /etc/pki/CA/private directory has its directory permissions to only allow the root user. If the mysql user cannot read all ssl files SSL will not work.
<snip>
Thanks for your reply! That answer actually makes complete sense. Ok, so here is what I tried, so far without success. I gave the mysql group ownership of all related directories. And changed group permissions so that group can access them:
[root@web2:/etc] #ls -ld /etc/pki/CA drwxrwxr-x. 6 root mysql 4096 Jan 20 15:58 /etc/pki/CA [root@web2:/etc] #ls -ld /etc/pki/tls/{private,certs} drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/certs drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/private
Restarted the mariadb service. And when I took another look at the SSL variable, it's still showing that SSL is not enabled:
<snip> Some of those will *not* work. For example, you will has ssh issues yourself is ~/.ssh is *anything* other than 700.
No: /etc/pki/CA should NOT be group writeable. Ditto for /etc/pki/tls/cernts and private.
mark