[CentOS] mysql replication - problems
Alberto Rivera Laporte
arlaporte at gmail.com
Thu Mar 12 18:10:02 UTC 2015
On Thu, Mar 12, 2015 at 10:49 AM Tim Dunphy <bluethundr at gmail.com> wrote:
> >
> > No: /etc/pki/CA should NOT be group writeable. Ditto for
> > /etc/pki/tls/cernts and private
>
I agree - Sorry I did not mean to imply that the directory permissions on
/etc/pki/CA should be modified. However it was mentioned it as a probable
issue for his ssl configuration on mysql/mariadb not .
>
> Ok, yeah I can understand that. I'll correct it. Still need a way to get
> SSL enabled however. Any suggestions there?
>
> Thanks
> Tim
>
>
Here's a test I did on a vanilla Centos 7 with mariadb from the stock
Centos repo, first with the locations you chose on your non-working
scenario, and second with an alternate location chosen for the ssl key and
cert files.
First example:
-- /etc/my.cnf.d/server.cnf
[mysqld]
ssl-key=/etc/pki/CA/private/test-key.pem
ssl-cert=/etc/pki/CA/certs/test-cert.pem
Here were the errors on startup from having the ssl files in that location
which subsequently end up ssl being disabled, much like you are
experiencing.
-- /var/log/mariadb/mariadb.log
150312 13:37:51 InnoDB: Waiting for the background threads to start
150312 13:37:52 Percona XtraDB (http://www.percona.com) 5.5.40-MariaDB-36.1
started; log sequence number 0
150312 13:37:52 [Note] Plugin 'FEEDBACK' is disabled.
SSL error: Unable to get private key from '/etc/pki/CA/private/test-key.pem'
150312 13:37:52 [Warning] Failed to setup SSL
150312 13:37:52 [Warning] SSL error: Unable to get private key
150312 13:37:52 [Note] Server socket created on IP: '0.0.0.0'.
150312 13:37:52 [Note] Event Scheduler: Loaded 0 events
150312 13:37:52 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.5.41-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306
MariaDB Server
MariaDB [(none)]> show variables like '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | DISABLED |
| have_ssl | DISABLED
<snip>
Second example:
Here is the results of the ssl key and cert files being moved to another
specific location where the mysql user can read those files and restarting
the service:
-- /etc/my.cnf.d/server.cnf
[mysqld]
ssl-key=/etc/mysql/test-key.pem
ssl-cert=/etc/mysql/test-cert.pem
-- /var/log/mariadb/mariadb.log
150312 13:48:19 InnoDB: Waiting for the background threads to start
150312 13:48:20 Percona XtraDB (http://www.percona.com) 5.5.40-MariaDB-36.1
started; log sequence number 1597945
150312 13:48:20 [Note] Plugin 'FEEDBACK' is disabled.
150312 13:48:20 [Note] Server socket created on IP: '0.0.0.0'.
150312 13:48:20 [Note] Event Scheduler: Loaded 0 events
150312 13:48:20 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.5.41-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306
MariaDB Server
MariaDB [(none)]> show variables like '%ssl%';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| have_openssl | YES |
| have_ssl | YES |
<snip>
If you want to maintain consistency and store the certificates in
/etc/pki/* these should be the locations where they can be stored:
#certs, including intermediates
/etc/pki/tls/certs
# keys
/etc/pki/tls/private
Here were the result of a third test:
-- /etc/my.cnf.d/server.cnf
[mysqld]
ssl-key=/etc/pki/tls/private/test-key.pem
ssl-cert=/etc/pki/tls/certs/test-cert.pem
MariaDB [(none)]> show variables like '%ssl%';
+---------------+-----------------------------------+
| Variable_name | Value |
+---------------+-----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | /etc/pki/tls/certs/test-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/pki/tls/private/test-key.pem |
+---------------+-----------------------------------+
Best,
More information about the CentOS
mailing list