Unable to configure two -way-ssl for mariadb using letsencrypt certificate

I am using centos 7 and trying to configure mariadb two way ssl. I have generated certificate for mariadbserver and mariadbuser using certbot

My domain is: mariadbserver and mariadbuser

I ran this command:
Sudo certbot certonly -d mariadbserver -d mariadb user
It produced this output: chain.pem cert.pem fullchain.pem privkey.pem
For both client and server.i moved all these files to /etc/my.cnf.d/certificates ,I renamed it for client and server after renaming my certificate folder looks like

Client-cert.pem client-chain.pem client-fullchain.pem client-privkey.pem server-chain.pem server-cert.pem server-fullchain.pem server-privkey.pem 

For the certificate folder i have given sudo chown -R mysql. /etc/my.cnf.d/certificates

Then in /etc/my.cnf file i added below configuration

[Client-Mariadb]
Ssl-ca=/etc/my.cnf.d/certificates/client-chain.pem
Ssl-cert=/etc/my.cnf.d/certificates/client-cert.pem
Ssl-key=/etc/my.cnf.d/certificates/client-privkey.pem
[mariadb]
Ssl-ca=/etc/my.cnf.d/certificates/server-chain.pem
Ssl-cert=/etc/my.cnf.d/certificates/server-cert.pem
Ssl-key=/etc/my.cnf.d/certificates/server-privkey.pem

Then i restarter mariadb server but after login to mariadb terminal status is showning cipher is not in use. What is the problem? Please help

I can login to a root shell on my machine (yes or no) : yes

[Hi @Dev, and welcome to the LE community forum :slight_smile:

If you were able to obtain an LE cert, then there is little more that we can do for you.
[possibly help with the autorenewal process of any LE certs]

For your described problem, I would start here:

SHOW VARIABLES LIKE 'have_ssl';

3 Likes

So what are/is the domain? This can be configured but there has TO BE A FQDN.
Am I missing something? Probably. How can someone get a cert for mariadbserver and mariadbuser... something is missing here. I cant imagine LE issuing any certs for a non FQDN.
More info needed.
RIP

3 Likes

Hello @Dev, welcome to the Let's Encrypt community. :slightly_smiling_face:
I realize that progress has been made on your issue, however it is still would likely be helpful to answer the questionnaire below.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.