Enabling SSL in MySQL

mysql ssl openssl

38,419

Solution 1

Ubuntu 12.04 comes with a OpenSSL 1.0.1, which has somewhat different defaults than the older OpenSSL 0.9.8 version.

Among other things, if you're using openssl req -newkey rsa:2048 to generate an RSA key, you'll end up with a key in a format called PKCS #8. Represented in the PEM format, these keys have the more generic -----BEGIN PRIVATE KEY----- header, which doesn't tell you what kind (RSA, DSA, EC) key it is.

Previously, with OpenSSL 0.9.8, keys were always in a format called PKCS #1, which represented as PEM, had the header -----BEGIN RSA PRIVATE KEY-----.

Because of this you cannot simply change the header and footer from:

-----BEGIN PRIVATE KEY-----

-----BEGIN RSA PRIVATE KEY-----`

It's not the same thing and it won't work. Instead you need to convert the key to the old format using openssl rsa. Like this:

openssl rsa -in key_in_pkcs1_or_pkcs8.pem -out key_in_pkcs1.pem

MySQL (v5.5.35) on Ubuntu 12.04 is using an SSL implementation called yaSSL (v2.2.2). It expect keys to be in the PKCS #1 format and doesn't support the PKCS #8 format used by OpenSSL 1.0 and newer. If you simply change the header and footer, as suggested by other posts in this thread, MySQL/yaSSL won't complain, but you'll be unable to connect and instead end up with an error like this:

ERROR 2026 (HY000): SSL connection error: protocol version mismatch

Ubuntu 14.04 comes with OpenSSL 1.0.1f and new settings. Among other things, it will generate certificates with SHA256 digests instead of SHA1, which was used in earlier versions. Incidentially, the yaSSL version bundled with MySQL doesn't support this either.

If you're generating certificates for use with MySQL, remember to make sure the RSA keys are converted to the traditional PKCS #1 PEM format and that certificates are using SHA1 digests.

Here's an example of how to generate your own CA, a server certificate and a client certificate.

# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem

# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem

Solution 2

This helped me:

The header and footer of the file server-key.pem looked like that:

-----BEGIN PRIVATE KEY-----
...
...
-----END PRIVATE KEY-----

But it requires something like that:

-----BEGIN RSA PRIVATE KEY-----
...
...
-----END RSA PRIVATE KEY-----

Note the BEGIN RSA PRIVATE KEY

In order to see the log:

sudo vim /var/log/mysql/error.log

Hope this helps.

Solution 3

I had the same troubles on 12.04 but it was in fact apparmor that caused the problems.

I found a solution at the Ubuntu Forums, moving .pem files in /etc/mysql resolved it.

You can also change the apparmor configuration in /etc/apparmor.d/usr.sbin.mysqld.

Solution 4

Make sure that the user running the mysqld process has read access to the keys and certificate files. If you launch MySQL using the account "mysql", you would:

/etc/mysql$ chown mysql:mysql *.pem
/etc/mysql$ ls -l *.pem
-rwxrwx--- 1 mysql mysql 1631 2013-09-16 14:27 ca-cert.pem
-rwxrwx--- 1 mysql mysql 1281 2013-09-16 14:27 server-cert.pem
-rwxrwx--- 1 mysql mysql 1679 2013-09-16 14:27 server-key.pem

Otherwise, you might get the following in your error log:

SSL error: Unable to get certificate from '/etc/mysql/server-cert.pem'
130916 13:32:25 [Warning] Failed to setup SSL
130916 13:32:25 [Warning] SSL error: Unable to get certificate

Solution 5

On Ubuntu 16.04, I ran mysql_ssl_rsa_setup, could see the files in show variables as in the question, but have_ssl and have_openssl continued to be DISABLED.

The solution was to chown mysql.mysql /var/lib/mysql/*.pem. Alternatively, I assume if you run mysql_ssl_rsa_setup as the mysql user, it will create the files with the correct permissions.

View more solutions

38,419

visitor93746

Updated on September 18, 2022

Comments

visitor93746 over 1 year
I'm running Ubuntu Server 12.04, and I want to enable SSL connections to MySQL.

I've generated the following keys/certs files with OpenSSL:
- ca-cert.pem
- server-cert.pem
- server-key.pem
I stored these at /etc/mysql, then added added the following lines to /etc/mysql/my.cnf:
```
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
```
Next, I restarted the server with sudo service restart mysql.

However, this doesn't seem to enable SSL. Within a mysql session:
```
mysql> show variables like '%ssl%';
+---------------+----------------------------+
| Variable_name | Value                      |
+---------------+----------------------------+
| have_openssl  | DISABLED                   |
| have_ssl      | DISABLED                   |
| ssl_ca        | /etc/mysql/ca-cert.pem     |
| ssl_capath    |                            |
| ssl_cert      | /etc/mysql/server-cert.pem |
| ssl_cipher    |                            |
| ssl_key       | /etc/mysql/server-key.pem  |
+---------------+----------------------------+
```
Any ideas what I'm missing? Thanks
- Admin over 11 years
  
  Check out this awesome thread.. Perhaps it could help you.
- Admin over 11 years
  
  Thanks for the link SirCharlo, but the issue addressed in that thread does not seem to apply to my situation.
- Admin about 11 years
  
  What @SirCharlo mentions is where you want to look. Specifically the Apparmor part and post #10. Keys I've generated on Debian Squeeze or an older Ubuntu work fine - regenerating in 12.04 makes it fail again. See the MySQL error logs as well.
- Admin about 9 years
  
  I had this same question and spent hours on it, but @user262116's answer solved it. I'd encourage you to accept that answer if it helped you!
Lucio over 10 years

Great. But how could this be done? Take a time and explain further, giving more information :)
Tommy Andersen over 10 years

I had a similar problem in my Ubunbtu 12.04 with mysql 5.5.34, where the pem files all had readable by all and still gave me the same problem. But this answer combined with changing the owner did the trick.
Tommy Andersen over 10 years

This combined with adding RSA to the server-key.pem file did the trick.
generalopinion almost 10 years

This post saved the day for me! Fantastic explanation and solution.
White Death about 9 years

Unfortunately, I still got the ERROR 2026 (HY000): SSL connection error: protocol version mismatch errors (using OpenSSL 1.0.1f). I switched to OpenSSL 1.0.1e and it worked with the above instructions.
elixenide about 9 years

This answer is amazing - would award a massive bounty if I could. Great explanation of the problem.
Steve Chambers over 8 years

Another voice to add to the horde. Have been trawling the Internet trying to find a solution to why the MySQL documented set up just wouldn't work - the bottom part of this post completely saved my day.
Jonathan almost 8 years

This was the problem I had as well
Delphine almost 8 years

Right answer ! Well explained and fully functional. Saved my day.. ! Question's author should come back and set this answer as the good one.
knocte almost 8 years

is that a typo? do you mean "moving pem files to" instead of "moving pem files in"? sorry for being so pedant but I got a bit confused
Christopher Schultz almost 8 years

FWIW, using SHA256 signatures with MySQL 5.5.49 seems to work. The key format seems to be the only sticking-point.
rustyx over 7 years

Don't manually add "RSA" - this will only suppress the error, but SSL won't work (you will get another error, "SSL connection error: protocol version mismatch"). Convert from PKCS#8 to PKCS#1 format instead using openssl rsa
WinEunuuchs2Unix over 7 years

The question is four years and two months old... It's unlikely the OP will respond to your answer.
Craig Wright over 7 years

I posted this simply as a service for future readers because this is one of the top google search results for this problem and nothing I read helped solve my problem. The value of this answer referring to the state of the world in Ubuntu 12.04 and even 14.04 is losing relevance.
Oldskool over 5 years

@WinEunuuchs2Unix Maybe not the OP, but here I am, almost two years later looking for exactly this answer. So, thank you Craig!