0

I'm a bit of a unix newbie and am working with a MariaDB Enterprise server on a RHEL 7.2, and connecting to it via a RHEL 7.2 client. I used this guide to create all the certificates and keys I need for server and client alike, here's what my.cnf looks like:

# Example mysql config file.
# You can copy this to one of:
# /etc/my.cnf to set global options,
# /mysql-data-dir/my.cnf to get server specific options or
# ~/my.cnf for user specific options.
# 
# One can use all long options that the program supports.
# Run the program with --help to get a list of available options

# This will be passed to all mysql clients
[client]
#password=my_password
#port=3306
#socket=/tmp/mysql.sock
#datadir=/var/lib/mysql


# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# The MySQL server
[mysqld]
#port=3306
#socket=/var/lib/mysql/mysql.sock

temp-pool

# The following three entries caused mysqld 10.0.1-MariaDB (and possibly other versions) to abort...
# skip-locking
# set-variable  = key_buffer=16M
# set-variable  = thread_cache=4

loose-innodb_data_file_path = ibdata1:1000M
loose-mutex-deadlock-detector
gdb

######### Fix the two following paths

# Where you want to have your database
data=/var/lib/mysql

# Where you have your mysql/MariaDB source + sql/share/english
#language=/path/to/src/dir/sql/share/english
#language=/usr/local/mysql/share

[mysqldump]
quick
set-variable = max_allowed_packet=16M

[mysql]
no-auto-rehash

[myisamchk]
set-variable= key_buffer=128M

[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem
bind-address=*
socket=/var/lib/mysql/mysql.sock
datadir=/var/lib/mysql
user=mysql
bind-address=*

# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

and I stopped the mysql service and started it like this:

service mysql start --ssl-ca=ca-cert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem

But still, when I try to check if SSL is enabled I always see this:

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'have_%ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | YES      |
| have_ssl      | DISABLED |
+---------------+----------+

And the ssl-requiring user I created gets access denied.

According to all the websites I looked up, it's supposed to be enough to just start the mysql service with these ssl details or just the ssl key but nothing works.

What do I do?

Improve this question
5
  • There is no ? in this question post. What is your question? See how to ask and create a Minimal, Complete, and Verifiable example. Commented Jul 24, 2016 at 14:05
  • "What do I do?" does not add any value. After the explanation of your situation, ask a very specific question. Please see how to ask. Commented Jul 24, 2016 at 14:24
  • 1
    I really think I gave enough information. I'm sorry that you can't understand that I can't enable the use of ssl connections in my MariaDB, not from the text and not from the headline. Commented Jul 24, 2016 at 14:36
  • Yes you did give plenty of information. Since this is a first post it comes thru the first post review queue, it is going to get extra scrutiny on asking format and style, not only information. Especially with a longer post, summarization is helpful and needed, either in the title or a simple summary question at the end of post. See the bad vs good titles in the guides. Commented Jul 24, 2016 at 14:58
  • Check Enabling SSL in MariaDB running on Synology NAS. Commented Aug 6, 2016 at 6:18

1 Answer 1

Reset to default
3

Are you sure that every users have read access to your credential files? If not, a chmod ugo+r /etc/mysql-ssl/* may help.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I can confirm that this was the problem on Debian. If mysqld can't read one or more of the certificate files it will simple keep the have_ssl variable set to DISABLED. As soon as I fixed my permissions it went from DISABLED to YES.
I followed this cyberciti.biz/faq/… tutorial, and this was the missing step to get it running.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.