0

I've generated a handful of certificates for my MySQL 8.0.30 (mysql-server.x86_64 8.0.30-1.module+el8.6.0+16523+5cb0e868 @rhel-8-for-x86_64-appstream-rpms) on RHEL 8.7 and I'm running into an issue...

I have my ca.pem which contains the root and intermediate certificates, server-key.pem which contains the RSA key (BEGIN RSA PRIVATE KEY/END RSA PRIVATE KEY) and server-cert.pem which contains the actual server certificate. I'm getting the following error when I start up MySQL:

2023年03月19日T11:36:56.572166Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2023年03月19日T11:36:56.572209Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_tmp_dh failed
2023年03月19日T11:36:56.641677Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"

I don't know what I'm doing wrong... anyone?

asked Mar 19, 2023 at 16:26
2
  • from the error message you posted: SSL context is not usable without certificate and private key go and create this certificate Commented Mar 20, 2023 at 10:00
  • 1
    which one? the actual exception relates to what I believe ate dh keys but I don't know for sure Commented Mar 20, 2023 at 10:53

1 Answer 1

1

Ok, so I pulled the source for mariadb (I know it isn't the same but it's close enough) and found the following:

server-10.9/vio/viosslfactories.c:#include <openssl/dh.h>
server-10.9/vio/viosslfactories.c:/* the function below was generated with "openssl dhparam -2 -C 2048" */
server-10.9/vio/viosslfactories.c:DH *get_dh2048()
server-10.9/vio/viosslfactories.c: static unsigned char dhp_2048[] = {
server-10.9/vio/viosslfactories.c: static unsigned char dhg_2048[] = {
server-10.9/vio/viosslfactories.c: DH *dh = DH_new();
server-10.9/vio/viosslfactories.c: BIGNUM *dhp_bn, *dhg_bn;
server-10.9/vio/viosslfactories.c: if (dh == NULL)
server-10.9/vio/viosslfactories.c: dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
server-10.9/vio/viosslfactories.c: dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
server-10.9/vio/viosslfactories.c: if (dhp_bn == NULL || dhg_bn == NULL
server-10.9/vio/viosslfactories.c: || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
server-10.9/vio/viosslfactories.c: DH_free(dh);
server-10.9/vio/viosslfactories.c: BN_free(dhp_bn);
server-10.9/vio/viosslfactories.c: BN_free(dhg_bn);
server-10.9/vio/viosslfactories.c: return dh;
server-10.9/vio/viosslfactories.c: "SSL_CTX_set_tmp_dh failed",
server-10.9/vio/viosslfactories.c: DH *dh= get_dh2048();
server-10.9/vio/viosslfactories.c: if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh))
server-10.9/vio/viosslfactories.c: DH_free(dh);
server-10.9/vio/viosslfactories.c: DH_free(dh);

So it looks like the DHparam wants to get generated at 2048. However, my server is configured for CIS Level 2, and the OpenSSL SECLEVEL is set to 3 (which would require a minimum 3072 bit key). Changing the SECLEVEL to 2 resolves the issue.

Thanks everyone!

answered Mar 20, 2023 at 14:47

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.