Hi I am trying to set up a MySQL server 8.0.16 on RHEL 7.5. The configuration I am willing to include for this server contains SSL related options.
The MySQL server is initialized but with a warning related to SSL, which is as follows:
mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql &
[root@BFLBRESRV03 ~]# 100
100 200 300 400 500
100 200 300 400 500
100
2019年12月13日T13:04:14.071486Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2019年12月13日T13:04:14.071739Z 0 [System] [MY-013169] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server in progress as process 962
2019年12月13日T13:04:19.318987Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
2019年12月13日T13:04:19.498482Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: geY0lgrNZd+u
2019年12月13日T13:04:20.958898Z 0 [System] [MY-013170] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server has completed
[1]+ Done mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql
[Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
The directory does not contain the ca.pem file but it does contain private_key.pem, and public_key.pem.
My options file contains following ssl configuration
[mysqld]
# SSL #
ssl-cipher = DHE-RSA-AES256-SHA
ssl_ca = /mysql_data/ssl-certs/ca.pem
ssl_cert = /mysql_data/ssl-certs/server-cert.pem
ssl_key = /mysql_data/ssl-certs/server-key.pem
require_secure_transport = ON
tls_version = TLSv1.2
If I initialize the server without ssl-ca, ssl-cert, ssl-key options, the server is successfully initialized without any warnings and the data directory contains the files ca-key.pem, client-cert.pem, public_key.pem, server-key.pem, ca.pem, client-key.pem, private_key.pem, server-cert.pem.
Kindly help me understand what mistake I am doing. What is the warning about and why the ca.pem certificate file was not created?
Can I create the SSL certificates in directories other than data directory?
I know i can later create the certificates using openssl or mysql_ssl_rsa_setup.
https://serverfault.com/questions/839650/mysql-ssl-ssl-ctx-set-default-verify-paths-failed
My SELinux is in PERMISSIVE mode.
The directory for SSL certificates that I was using /mysql_data/ssl-certs is owned by mysql user and group.
1 Answer 1
It was a silly mistake.
I was referring to the certificates which didn't exist and I was using wrong directory name.
First, one must create the certificates, using mysql_ssl_rsa_setup/openssl and place them in the designated directory.
mysql_ssl_rsa_setup --datadir=/mysql_data/ssl_certs --uid=mysql
Use following configuration under the [mysqld] section
ssl-ca=/mysql_data/ssl_certs/ca.pem
ssl-key=/mysql_data/ssl_certs/server-key.pem
ssl-cert=/mysql_data/ssl_certs/server-cert.pem
Then initialise the database using
mysqld --defaults-file=/mysql_data/config/options.cnf --user=mysql --initialize
In my case even this did not work.
The mistake I was doing was using incorrect directory name; I was using /mysql_data/ssl-certs instead of the correct one /mysql_data/ssl_certs.