I'm having a difficulty starting mariadb 10.2 (10.2.16-MariaDB-log FreeBSD Ports) with SSL support in a jail after restart of the host.
After I setup the jail and restarted mysql-server without restarting the jail, the SSL setup was OK and clients could connect. Now, after 4 days, I had to physically migrate the host machine, so I turned it off. After turning it on again, the jail does not have SSL functionality for connecting clients.
I'm getting the following log upon starting of mysql-server:
The config (usr/local/etc/my.cnf) contains the following:
The permissions are like that:
In the mysql client on the jail itself I'm getting this:
Also, I created a ZFS snapshot after the install of mariadb just to make sure. After getting the SSL connectivity errors I reverted to that snapshot... but the problem persists... Very odd.
Is there anything that I may be missing? From where I'm standing this should not result in a SSL_CTX_set_default_verify_paths error... Can it be that the certificates need to be placed in a special directory?
Any help is greatly appreciated.
After I setup the jail and restarted mysql-server without restarting the jail, the SSL setup was OK and clients could connect. Now, after 4 days, I had to physically migrate the host machine, so I turned it off. After turning it on again, the jail does not have SSL functionality for connecting clients.
I'm getting the following log upon starting of mysql-server:
Code:
...
2018-07-16 16:18:15 34424840192 [Warning] Failed to setup SSL
2018-07-16 16:18:15 34424840192 [Warning] SSL error: SSL_CTX_set_default_verify_paths failed
2018-07-16 16:18:15 34424840192 [Warning] SSL error: error:0200100D:system library:fopen:Permission denied
2018-07-16 16:18:15 34424840192 [Warning] SSL error: error:2006D002:BIO routines:BIO_new_file:system lib
2018-07-16 16:18:15 34424840192 [Warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
...
The config (usr/local/etc/my.cnf) contains the following:
Code:
ssl = 1
ssl-ca = /usr/app/mariadb/ssl/ca.crt
ssl-key = /usr/app/mariadb/ssl/mysql-pkcs1.key
ssl-cert = /usr/app/mariadb/ssl/mysql.crt
ssl-cipher = ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA
bind-address = 0.0.0.0
The permissions are like that:
Code:
ls -lah /usr/app/mariadb/ssl
total 50
drw-r--r-- 2 mysql mysql 11B Jul 12 14:48 .
drwxr-xr-x 3 mysql mysql 3B Jul 12 12:09 ..
-rw-r--r-- 1 mysql mysql 3.2K Jul 12 13:52 ca-pkcs1.key
-rw-r--r-- 1 mysql mysql 3.2K Jul 12 13:51 ca-pkcs8.key
-rw-r--r-- 1 mysql mysql 2.2K Jul 12 13:50 ca.crt
-rw-r--r-- 1 mysql mysql 3.2K Jul 12 13:58 mysql-pkcs1.key
-rw-r--r-- 1 mysql mysql 3.2K Jul 12 13:57 mysql-pkcs8.key
-rw-r--r-- 1 mysql mysql 2.2K Jul 12 13:56 mysql.crt
-rw-r--r-- 1 mysql mysql 3.2K Jul 12 14:48 mysqlclient-pkcs1.key
-rw-r--r-- 1 mysql mysql 3.2K Jul 12 14:48 mysqlclient-pkcs8.key
-rw-r--r-- 1 mysql mysql 2.1K Jul 12 14:47 mysqlclient.crt
In the mysql client on the jail itself I'm getting this:
Code:
MariaDB [(none)]> show global variables like '%ssl%';
+---------------------+-----------------------------------------------------------+
| Variable_name | Value |
+---------------------+-----------------------------------------------------------+
| have_openssl | YES |
| have_ssl | DISABLED |
| ssl_ca | /usr/app/mariadb/ssl/ca.crt |
| ssl_capath | |
| ssl_cert | /usr/app/mariadb/ssl/mysql.crt |
| ssl_cipher | ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /usr/app/mariadb/ssl/mysql-pkcs1.key |
| version_ssl_library | OpenSSL 1.0.2j-freebsd 26 Sep 2016 |
+---------------------+-----------------------------------------------------------+
Also, I created a ZFS snapshot after the install of mariadb just to make sure. After getting the SSL connectivity errors I reverted to that snapshot... but the problem persists... Very odd.
Is there anything that I may be missing? From where I'm standing this should not result in a SSL_CTX_set_default_verify_paths error... Can it be that the certificates need to be placed in a special directory?
Any help is greatly appreciated.