I am following word by word of http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html for creating SSL certificates to setup SSL enable replication but it is not working for me. Steps which I am following:
- Using above reference I have created all required certificates in
/var/opt/mysql_certs/ Changed the ownership of all the certificates
chown -R mysql:mysql /var/opt/mysql_certsThen I edited my
/etc/my.confand put these 3 lines in mysqld section:ssl-ca=/var/opt/mysql_certs/ca-cert.pem ssl-cert=/var/opt/mysql_certs/server-cert.pem ssl-key=/var/opt/mysql_certs/server-key.pemLastly I am restarting mysqld with /etc/init.d/restart mysqld. But, I am getting following errors:
[Warning]: Failed to setup SSL` [Warning] SSL error: SSL_CTX_set_default_verify_paths failed
FYI: OS is centOS 6.
2 Answers 2
I recently solved this issue on my own system and it turned out to be SELinux blocking the reads for the certificates. I fixed my problem by running a restorecon -v /path/to/certs/* but it could also be solved by disabling selinux by running setenforce 0 or by editing the /etc/selinux/config file and setting 'SELINUX=DISABLED'.
If you haven't disabled SELinux already that is.
-
Please mark your own answer as correct (I know that you have to wait a certain time). This will hopefully help others with the same problem in future, thanks.Vérace– Vérace2015年04月05日 11:00:36 +00:00Commented Apr 5, 2015 at 11:00
-
If SELINUX is disabled and the result is the same, what can be done? I am trying for several days and still without success.Iskren Mihaylov– Iskren Mihaylov2015年04月23日 09:32:44 +00:00Commented Apr 23, 2015 at 9:32
-
Have you verified the file permissions? MySQL must be able to read the certificate files. My working setup has the files owned by the mysql user with read permissions for the user only.InfernoTK– InfernoTK2015年04月24日 15:52:13 +00:00Commented Apr 24, 2015 at 15:52
-
I really dislike the generic "disable SELinux" answer I see so often. Folks should learn how to use SELinux, not turn it off every time it gets in the way. (I'm not suggesting you are doing that, but it's becoming a pet peeve of mine every time I see it as a possible solution).woot– woot2017年06月06日 18:46:39 +00:00Commented Jun 6, 2017 at 18:46
-
Personally, I leave SELinux running, and I agree that one should. That said, I have wished I didn't so many times because of hard to debug issues like this!BuvinJ– BuvinJ2018年04月10日 22:16:03 +00:00Commented Apr 10, 2018 at 22:16
As pointed out by @InfernoTK in a comment, the issue can be POSIX permissions. Make sure the user that is running the MySQL daemon (the user is called mysql often) has read access to all the files specified in your my.cnf, for the SSL options (ssl-ca, ssl-cert, ssl-key).
An easy way to test is to run:
sudo -u mysql cat /path/to/ssl/cert.pem
And repeat for the key & CA cert.