MariaDB always show SSL not in use when I start mysqld with --ssl

Question

CentOS 7.2.1511
Linux 3.10.0-123.9.3.el7.x86_64
MariaDB: 10.1.11

/etc/my.cnf

#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

[mysqld]
ssl
ssl-ca       = /root/ca.pem
ssl-cert     = /root/server-cert.pem
ssl-key      = /root/server-key.pem 
bind-address = 0.0.0.0
port         = 3306
max_allowed_packet = 16M


[mysqldump]
max_allowed_packet = 16M

I started mariadb with command:

systemctl start mysql

Then I login mysql with root typed status shows SSL Not in use. Then I typed

show variables like '%ssl%';

And I get a table:

+---------------------+---------------------------------+
| Variable_name       | Value                           |
+---------------------+---------------------------------+
| have_openssl        | YES                             |
| have_ssl            | DISABLED                        |
| ssl_ca              | /root/ca.pem                    |
| ssl_capath          |                                 |
| ssl_cert            | /root/server-cert.pem           |
| ssl_cipher          |                                 |
| ssl_crl             |                                 |
| ssl_crlpath         |                                 |
| ssl_key             | /root/server-key.pem            |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+---------------------------------+

At last I even tried to login with ssl and it failed obviously.

UPDATE

Here are some warning messages in the error log file:

[Warning] Failed to setup SSL
[Warning] SSL error: SSL_CTX_set_default_verify_paths failed
[Warning] SSL error: error:0200100D:system library:fopen:Permission denied
[Warning] SSL error: error:2006D002:BIO_new_file:system lib
[warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Are there any relevant messages in you log files. What exactly are you doing and what exactly are the error messages you see? — user9517, Feb 21 '16 at 09:07
@lain Thank you for reminding me of that. I found some SSL error messages in MariaDB error log file. Maybe it is the key to the problem but I don't know how to fix it. — bitdancer, Feb 21 '16 at 14:44

score 2 · Accepted Answer · answered Feb 21 '16 at 15:01

MariaDB is not allowed to access files in root's home directory /root. Thus, the CA, certificate and private key files are unreadable.

The standard locations for these files on RHEL are in directories under /etc/pki: /etc/pki/CA, /etc/pki/tls/certs and /etc/pki/tls/private. If you copy them here, and set the proper ownership and permissions so that MariaDB can read them, you will find that it works. Alternately, you can place the certificates and private key file in a subdirectory of /etc/mysql.

It worked! I put certs in `/root` directory, that's the problem. — bitdancer, Feb 21 '16 at 15:10

MariaDB always show SSL not in use when I start mysqld with --ssl

1 Answers1