Skip to Main Content

SSL configuration fails with a warning

3029903Dec 16 2019 — edited Dec 26 2019

Hi I am trying to set up a MySQL server 8.0.16 on RHEL 7.5. The configuration I am willing to include for this server contains SSL related options.

The MySQL server is initialized but with a warning related to SSL, which is as follows:

mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql &

[root@BFLBRESRV03 ~]# 100

100 200 300 400 500

100 200 300 400 500

100

2019-12-13T13:04:14.071486Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.

2019-12-13T13:04:14.071739Z 0 [System] [MY-013169] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server in progress as process 962

2019-12-13T13:04:19.318987Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

2019-12-13T13:04:19.498482Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: geY0lgrNZd+u

2019-12-13T13:04:20.958898Z 0 [System] [MY-013170] [Server] /mysql_binaries/mysql/mysql-server-8.0.16/bin/mysqld (mysqld 8.0.16-commercial) initializing of server has completed

[1]+ Done mysqld --defaults-file=/mysql_data/config/options.cnf --initialize --user=mysql

[Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

The directory does not contain the ca.pem file but it does contain private_key.pem, and public_key.pem.

My options file contains following ssl configuration

[mysqld]

# SSL #

ssl-cipher = DHE-RSA-AES256-SHA

ssl_ca = /mysql_data/ssl-certs/ca.pem

ssl_cert = /mysql_data/ssl-certs/server-cert.pem

ssl_key = /mysql_data/ssl-certs/server-key.pem

require_secure_transport = ON

tls_version = TLSv1.2

If I initialize the server without ssl-ca, ssl-cert, ssl-key options, the server is successfully initialized without any warnings and the data directory contains the files ca-key.pem, client-cert.pem, public_key.pem, server-key.pem, ca.pem, client-key.pem, private_key.pem, server-cert.pem.

Kindly help me understand what mistake I am doing. What is the warning about and why the ca.pem certificate file was not created?

Can I create the SSL certificates in directories other than data directory?

I know i can later create the certificates using openssl or mysql_ssl_rsa_setup.

https://serverfault.com/questions/839650/mysql-ssl-ssl-ctx-set-default-verify-paths-failed

My SELinux is in PERMISSIVE mode.

MySQL ssl setup failed

The directory for SSL certificates that I was using /mysql_data/ssl-certs is owned by mysql user and group.

Comments
Post Details
Added on Dec 16 2019
1 comment
177 views