I’m attempting to use Let’s Encrypt to enable MariaDB SSL. Unfortunately, it doesn’t seem to work. I’m using letsencrypt 0.4.1 and MariaDB 15.1 compiled with OpenSSL on Ubuntu Xenial. I’ve successfully used letsencrypt to set up my Apache server. I then turned off apache and ran ‘letsencrypt certonly -d MYDOMAIN --standalone’. ( Apache and MySQL use different subdomains, and I don’t want them to share keys.) I copied the key and certificates to a directory where mysqld has permissions, and use the following settings in my.cnf.
I get no error messages upon restarting mysqld, and it says that SSL is enabled from the CLI. I then tried to connect with the following command:
mysql -u USER -p --ssl_ca USER-READABLE-FOLDER/chain.pem -h MY-FQDN --ssl-verify-server-cert
I get the error: ssl3_get_server_certificate certificate verify failed
I converting the key to PKCS1 using ‘openssl rsa -in privkey.pem -out privkey.pem’, and it didn’t change things. I used openssl to verify the validity of the certificates, everything seemed fine.
I tried instead generating certificates according to the MySQL 5.7 instructions. , and was able to connect without any errors.
Can anyone comment on the differences between the certificates and keys generated by the mysql process versus those generated by letsencrypt? Has anyone successfully used letsencrypt with MariaDB or MySQL?
I’m not trying to connect using client certificates, so that’s not relevant. I’m just using the server certificates to verify the server identity and start and encrypted connection.
Osiris,
I would love if mysqld actually logged anything. Despite trying a number of config changes, nothing shows up in the error logs about the ssl connections.
I’ve decided to use an SSH tunnel for now. SSL will have to wait for when I have more time.
@Osiris MariaDB is the free fork of MySQL, since Oracle changed the licensing on the official MySQL software. Because it’s a fork and is still largely compatible, most of the command names and configuration variables still refer to “mysql” rather than “MariaDB,” and are likely to do so for a long time.
@kitchentropy I’ve not personally had much luck setting up SSL with MySQL or MariaDB. However, I’ll note this: In most cases, it’s not necessary to get a Let’s Encrypt certificate for your database. You can instead use your own self-signed certificates or create your own CA cert with OpenSSL, without any loss of security, so long as you configure certificate checking correctly. The purpose of a public CA like Let’s Encrypt is to introduce clients and servers that don’t have a pre-existing relationship (like browsers and web sites). Since you almost certainly have a pre-existing relationship between your database and any database clients, you can distribute your self-signed certificate (or personal CA certificate) to the clients and configure them to trust it.
All that said, if you’ve got an SSH tunnel set up and it’s working well for you, I don’t see any reason to change it.
