On Thu, Mar 12, 2015 at 10:49 AM Tim Dunphy <bluethundr at gmail.com> wrote: > > > > No: /etc/pki/CA should NOT be group writeable. Ditto for > > /etc/pki/tls/cernts and private > I agree - Sorry I did not mean to imply that the directory permissions on /etc/pki/CA should be modified. However it was mentioned it as a probable issue for his ssl configuration on mysql/mariadb not . > > Ok, yeah I can understand that. I'll correct it. Still need a way to get > SSL enabled however. Any suggestions there? > > Thanks > Tim > > Here's a test I did on a vanilla Centos 7 with mariadb from the stock Centos repo, first with the locations you chose on your non-working scenario, and second with an alternate location chosen for the ssl key and cert files. First example: -- /etc/my.cnf.d/server.cnf [mysqld] ssl-key=/etc/pki/CA/private/test-key.pem ssl-cert=/etc/pki/CA/certs/test-cert.pem Here were the errors on startup from having the ssl files in that location which subsequently end up ssl being disabled, much like you are experiencing. -- /var/log/mariadb/mariadb.log 150312 13:37:51 InnoDB: Waiting for the background threads to start 150312 13:37:52 Percona XtraDB (http://www.percona.com) 5.5.40-MariaDB-36.1 started; log sequence number 0 150312 13:37:52 [Note] Plugin 'FEEDBACK' is disabled. SSL error: Unable to get private key from '/etc/pki/CA/private/test-key.pem' 150312 13:37:52 [Warning] Failed to setup SSL 150312 13:37:52 [Warning] SSL error: Unable to get private key 150312 13:37:52 [Note] Server socket created on IP: '0.0.0.0'. 150312 13:37:52 [Note] Event Scheduler: Loaded 0 events 150312 13:37:52 [Note] /usr/libexec/mysqld: ready for connections. Version: '5.5.41-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server MariaDB [(none)]> show variables like '%ssl%'; +---------------+----------------------------------+ | Variable_name | Value | +---------------+----------------------------------+ | have_openssl | DISABLED | | have_ssl | DISABLED <snip> Second example: Here is the results of the ssl key and cert files being moved to another specific location where the mysql user can read those files and restarting the service: -- /etc/my.cnf.d/server.cnf [mysqld] ssl-key=/etc/mysql/test-key.pem ssl-cert=/etc/mysql/test-cert.pem -- /var/log/mariadb/mariadb.log 150312 13:48:19 InnoDB: Waiting for the background threads to start 150312 13:48:20 Percona XtraDB (http://www.percona.com) 5.5.40-MariaDB-36.1 started; log sequence number 1597945 150312 13:48:20 [Note] Plugin 'FEEDBACK' is disabled. 150312 13:48:20 [Note] Server socket created on IP: '0.0.0.0'. 150312 13:48:20 [Note] Event Scheduler: Loaded 0 events 150312 13:48:20 [Note] /usr/libexec/mysqld: ready for connections. Version: '5.5.41-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server MariaDB [(none)]> show variables like '%ssl%'; +---------------+--------------------------+ | Variable_name | Value | +---------------+--------------------------+ | have_openssl | YES | | have_ssl | YES | <snip> If you want to maintain consistency and store the certificates in /etc/pki/* these should be the locations where they can be stored: #certs, including intermediates /etc/pki/tls/certs # keys /etc/pki/tls/private Here were the result of a third test: -- /etc/my.cnf.d/server.cnf [mysqld] ssl-key=/etc/pki/tls/private/test-key.pem ssl-cert=/etc/pki/tls/certs/test-cert.pem MariaDB [(none)]> show variables like '%ssl%'; +---------------+-----------------------------------+ | Variable_name | Value | +---------------+-----------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | | | ssl_capath | | | ssl_cert | /etc/pki/tls/certs/test-cert.pem | | ssl_cipher | | | ssl_key | /etc/pki/tls/private/test-key.pem | +---------------+-----------------------------------+ Best,