SSL configuration fails with a warning

3029903

    Hi I am trying to set up a MySQL server 8.0.16 on RHEL 7.5. The configuration I am willing to include for this server contains SSL related options.

     

    The MySQL server is initialized but with a warning related to SSL, which is as follows:

     

    mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql &

     

    [root@BFLBRESRV03 ~]# 100

    100 200 300 400 500

    100 200 300 400 500

    100

    2019-12-13T13:04:14.071486Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.

    2019-12-13T13:04:14.071739Z 0 [System] [MY-013169] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server in progress as process 962

    2019-12-13T13:04:19.318987Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

    2019-12-13T13:04:19.498482Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: geY0lgrNZd+u

    2019-12-13T13:04:20.958898Z 0 [System] [MY-013170] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server has completed

     

    [1]+ Done mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql

    [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

     

    The directory does not contain the ca.pem file but it does contain private_key.pem, and public_key.pem.

     

    My options file contains following ssl configuration

     

    [mysqld]

     

    # SSL #

     

    ssl-cipher = DHE-RSA-AES256-SHA

     

    ssl_ca = /mysql_data/ssl-certs/ca.pem

     

    ssl_cert = /mysql_data/ssl-certs/server-cert.pem

     

    ssl_key = /mysql_data/ssl-certs/server-key.pem

     

    require_secure_transport = ON

     

    tls_version = TLSv1.2

    If I initialize the server without ssl-ca, ssl-cert, ssl-key options, the server is successfully initialized without any warnings and the data directory contains the files ca-key.pem, client-cert.pem, public_key.pem, server-key.pem, ca.pem, client-key.pem, private_key.pem, server-cert.pem.

     

    Kindly help me understand what mistake I am doing. What is the warning about and why the ca.pem certificate file was not created?

     

    Can I create the SSL certificates in directories other than data directory?

     

    I know i can later create the certificates using openssl or mysql_ssl_rsa_setup.

     

    https://serverfault.com/questions/839650/mysql-ssl-ssl-ctx-set-default-verify-paths-failed

     

    My SELinux is in PERMISSIVE mode.

     

    MySQL ssl setup failed

     

    The directory for SSL certificates that I was using /mysql_data/ssl-certs is owned by mysql user and group.

      • 1. Re: SSL configuration fails with a warning
        3029903

        It was a silly mistake.

        I was referring to the certificates which didn't exist and I was using wrong directory name.

        First, one must create the certificates, using mysql_ssl_rsa_setup/openssl and place them in the designated directory.

        mysql_ssl_rsa_setup --datadir=/mysql_data/ssl_certs --uid=mysql

        Use following configuration under the [mysqld] section

        ssl-ca=/mysql_data/ssl_certs/ca.pem ssl-key=/mysql_data/ssl_certs/server-key.pem ssl-cert=/mysql_data/ssl_certs/server-cert.pem

        Then initialise the database using

        mysqld --defaults-file=/mysql_data/config/options.cnf --user=mysql --initialize

        In my case even this did not work.

        The mistake I was doing was using incorrect directory name; I was using /mysql_data/ssl-certs instead of the correct one /mysql_data/ssl_certs.