On Thu, March 12, 2015 10:40 am, m.roth at 5-cent.us wrote: > Tim Dunphy wrote: >>> >>> The mysqld process runs as the mysql user. It's parent which is the >>> mysqld_safe runs as the root user. That being said the mysql user >>> needs to have at least read permission to the locations where the ssl > files >>> are located. By default on Centos the /etc/pki/CA/private directory >>> has >>> its directory permissions to only allow the root user. If the mysql >>> user >>> cannot read all ssl files SSL will not work. > <snip> >> Thanks for your reply! That answer actually makes complete sense. Ok, so >> here is what I tried, so far without success. I gave the mysql group >> ownership of all related directories. And changed group permissions so >> that group can access them: >> >> [root at web2:/etc] #ls -ld /etc/pki/CA >> drwxrwxr-x. 6 root mysql 4096 Jan 20 15:58 /etc/pki/CA >> [root at web2:/etc] #ls -ld /etc/pki/tls/{private,certs} >> drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/certs >> drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/private >> >> Restarted the mariadb service. And when I took another look at the SSL >> variable, it's still showing that SSL is not enabled: > <snip> > Some of those will *not* work. For example, you will has ssh issues > yourself is ~/.ssh is *anything* other than 700. > > No: /etc/pki/CA should NOT be group writeable. Ditto for > /etc/pki/tls/cernts and private. > I have my doubts about permissions on /etc/pki/tls/private and on private key inside it as well. Somebody hopefully will correct me as I don't know how it is implemented in mysql/mariadb, but I assume sanity. And sanity suggests that the first process (mysqld_safe) that runs as root reads private key (and likely certificate), then passes private key to the child process(es) which runs as regular user that is not able to read private key, but gets it from parent proces. My assumption comes from what apache is doing (only apache used droppriv). I would (roll perms/ownership) back to default, and try to check locally using openssl whether daemon is using ssl/cert/key, maybe start mysql daemon in debugger to see what is going on with reading private key. I would also think of other reasons why your instance of mysql (or mariadb) could not be able to use _your_ key and cert, see, e.g.: http://forums.mysql.com/read.php?11,400856,401127 (your case may be different, I would just try think wider, but maybe debugger will give you the direct lead). Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++