On Thu, Mar 12, 2015 at 10:49 AM Tim Dunphy bluethundr@gmail.com wrote:
No: /etc/pki/CA should NOT be group writeable. Ditto for /etc/pki/tls/cernts and private
I agree - Sorry I did not mean to imply that the directory permissions on /etc/pki/CA should be modified. However it was mentioned it as a probable issue for his ssl configuration on mysql/mariadb not .
Ok, yeah I can understand that. I'll correct it. Still need a way to get SSL enabled however. Any suggestions there?
Thanks Tim
Here's a test I did on a vanilla Centos 7 with mariadb from the stock Centos repo, first with the locations you chose on your non-working scenario, and second with an alternate location chosen for the ssl key and cert files.
First example:
-- /etc/my.cnf.d/server.cnf
[mysqld] ssl-key=/etc/pki/CA/private/test-key.pem ssl-cert=/etc/pki/CA/certs/test-cert.pem
Here were the errors on startup from having the ssl files in that location which subsequently end up ssl being disabled, much like you are experiencing.
-- /var/log/mariadb/mariadb.log
150312 13:37:51 InnoDB: Waiting for the background threads to start 150312 13:37:52 Percona XtraDB (http://www.percona.com) 5.5.40-MariaDB-36.1 started; log sequence number 0 150312 13:37:52 [Note] Plugin 'FEEDBACK' is disabled. SSL error: Unable to get private key from '/etc/pki/CA/private/test-key.pem' 150312 13:37:52 [Warning] Failed to setup SSL 150312 13:37:52 [Warning] SSL error: Unable to get private key 150312 13:37:52 [Note] Server socket created on IP: '0.0.0.0'. 150312 13:37:52 [Note] Event Scheduler: Loaded 0 events 150312 13:37:52 [Note] /usr/libexec/mysqld: ready for connections. Version: '5.5.41-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server
MariaDB [(none)]> show variables like '%ssl%'; +---------------+----------------------------------+ | Variable_name | Value | +---------------+----------------------------------+ | have_openssl | DISABLED | | have_ssl | DISABLED <snip>
Second example:
Here is the results of the ssl key and cert files being moved to another specific location where the mysql user can read those files and restarting the service:
-- /etc/my.cnf.d/server.cnf
[mysqld] ssl-key=/etc/mysql/test-key.pem ssl-cert=/etc/mysql/test-cert.pem
-- /var/log/mariadb/mariadb.log 150312 13:48:19 InnoDB: Waiting for the background threads to start 150312 13:48:20 Percona XtraDB (http://www.percona.com) 5.5.40-MariaDB-36.1 started; log sequence number 1597945 150312 13:48:20 [Note] Plugin 'FEEDBACK' is disabled. 150312 13:48:20 [Note] Server socket created on IP: '0.0.0.0'. 150312 13:48:20 [Note] Event Scheduler: Loaded 0 events 150312 13:48:20 [Note] /usr/libexec/mysqld: ready for connections. Version: '5.5.41-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server
MariaDB [(none)]> show variables like '%ssl%'; +---------------+--------------------------+ | Variable_name | Value | +---------------+--------------------------+ | have_openssl | YES | | have_ssl | YES | <snip>
If you want to maintain consistency and store the certificates in /etc/pki/* these should be the locations where they can be stored:
#certs, including intermediates /etc/pki/tls/certs
# keys /etc/pki/tls/private
Here were the result of a third test:
-- /etc/my.cnf.d/server.cnf
[mysqld]
ssl-key=/etc/pki/tls/private/test-key.pem ssl-cert=/etc/pki/tls/certs/test-cert.pem
MariaDB [(none)]> show variables like '%ssl%'; +---------------+-----------------------------------+ | Variable_name | Value | +---------------+-----------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | | | ssl_capath | | | ssl_cert | /etc/pki/tls/certs/test-cert.pem | | ssl_cipher | | | ssl_key | /etc/pki/tls/private/test-key.pem | +---------------+-----------------------------------+
Best,