1 Reply Latest reply on Dec 26, 2019 5:08 AM by 3029903

    SSL configuration fails with a warning

    3029903

      Hi I am trying to set up a MySQL server 8.0.16 on RHEL 7.5. The configuration I am willing to include for this server contains SSL related options.

       

      The MySQL server is initialized but with a warning related to SSL, which is as follows:

       

      mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql &

       

      [root@BFLBRESRV03 ~]# 100

      100 200 300 400 500

      100 200 300 400 500

      100

      2019-12-13T13:04:14.071486Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.

      2019-12-13T13:04:14.071739Z 0 [System] [MY-013169] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server in progress as process 962

      2019-12-13T13:04:19.318987Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

      2019-12-13T13:04:19.498482Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: geY0lgrNZd+u

      2019-12-13T13:04:20.958898Z 0 [System] [MY-013170] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server has completed

       

      [1]+ Done mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql

      [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

       

      The directory does not contain the ca.pem file but it does contain private_key.pem, and public_key.pem.

       

      My options file contains following ssl configuration

       

      [mysqld]

       

      # SSL #

       

      ssl-cipher = DHE-RSA-AES256-SHA

       

      ssl_ca = /mysql_data/ssl-certs/ca.pem

       

      ssl_cert = /mysql_data/ssl-certs/server-cert.pem

       

      ssl_key = /mysql_data/ssl-certs/server-key.pem

       

      require_secure_transport = ON

       

      tls_version = TLSv1.2

      If I initialize the server without ssl-ca, ssl-cert, ssl-key options, the server is successfully initialized without any warnings and the data directory contains the files ca-key.pem, client-cert.pem, public_key.pem, server-key.pem, ca.pem, client-key.pem, private_key.pem, server-cert.pem.

       

      Kindly help me understand what mistake I am doing. What is the warning about and why the ca.pem certificate file was not created?

       

      Can I create the SSL certificates in directories other than data directory?

       

      I know i can later create the certificates using openssl or mysql_ssl_rsa_setup.

       

      https://serverfault.com/questions/839650/mysql-ssl-ssl-ctx-set-default-verify-paths-failed

       

      My SELinux is in PERMISSIVE mode.

       

      MySQL ssl setup failed

       

      The directory for SSL certificates that I was using /mysql_data/ssl-certs is owned by mysql user and group.

        • 1. Re: SSL configuration fails with a warning
          3029903

          It was a silly mistake.

          I was referring to the certificates which didn't exist and I was using wrong directory name.

          First, one must create the certificates, using mysql_ssl_rsa_setup/openssl and place them in the designated directory.

          mysql_ssl_rsa_setup --datadir=/mysql_data/ssl_certs --uid=mysql

          Use following configuration under the [mysqld] section

          ssl-ca=/mysql_data/ssl_certs/ca.pem ssl-key=/mysql_data/ssl_certs/server-key.pem ssl-cert=/mysql_data/ssl_certs/server-cert.pem

          Then initialise the database using

          mysqld --defaults-file=/mysql_data/config/options.cnf --user=mysql --initialize

          In my case even this did not work.

          The mistake I was doing was using incorrect directory name; I was using /mysql_data/ssl-certs instead of the correct one /mysql_data/ssl_certs.