MariaDB always show SSL not in use when I start mysqld with –ssl

bitweaver asked:

  • CentOS 7.2.1511
  • Linux 3.10.0-123.9.3.el7.x86_64
  • MariaDB: 10.1.11


# This group is read both both by the client and the server
# use it for options that affect everything

# include all files from the config directory
!includedir /etc/my.cnf.d

ssl-ca       = /root/ca.pem
ssl-cert     = /root/server-cert.pem
ssl-key      = /root/server-key.pem 
bind-address =
port         = 3306
max_allowed_packet = 16M

max_allowed_packet = 16M

I started mariadb with command:

systemctl start mysql

Then I login mysql with root typed status shows SSL Not in use. Then I typed

show variables like '%ssl%';

And I get a table:

| Variable_name       | Value                           |
| have_openssl        | YES                             |
| have_ssl            | DISABLED                        |
| ssl_ca              | /root/ca.pem                    |
| ssl_capath          |                                 |
| ssl_cert            | /root/server-cert.pem           |
| ssl_cipher          |                                 |
| ssl_crl             |                                 |
| ssl_crlpath         |                                 |
| ssl_key             | /root/server-key.pem            |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |

At last I even tried to login with ssl and it failed obviously.


Here are some warning messages in the error log file:

[Warning] Failed to setup SSL
[Warning] SSL error: SSL_CTX_set_default_verify_paths failed
[Warning] SSL error: error:0200100D:system library:fopen:Permission denied
[Warning] SSL error: error:2006D002:BIO_new_file:system lib
[warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

My answer:

MariaDB is not allowed to access files in root’s home directory /root. Thus, the CA, certificate and private key files are unreadable.

The standard locations for these files on RHEL are in directories under /etc/pki: /etc/pki/CA, /etc/pki/tls/certs and /etc/pki/tls/private. If you copy them here, and set the proper ownership and permissions so that MariaDB can read them, you will find that it works. Alternately, you can place the certificates and private key file in a subdirectory of /etc/mysql.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.