Enabling SSL in MySQL

mysql ssl openssl

Solution 1:

Ubuntu 12.04 comes with a OpenSSL 1.0.1, which has somewhat different defaults than the older OpenSSL 0.9.8 version.

Among other things, if you're using openssl req -newkey rsa:2048 to generate an RSA key, you'll end up with a key in a format called PKCS #8. Represented in the PEM format, these keys have the more generic -----BEGIN PRIVATE KEY----- header, which doesn't tell you what kind (RSA, DSA, EC) key it is.

Previously, with OpenSSL 0.9.8, keys were always in a format called PKCS #1, which represented as PEM, had the header -----BEGIN RSA PRIVATE KEY-----.

Because of this you cannot simply change the header and footer from:

-----BEGIN PRIVATE KEY-----

to

-----BEGIN RSA PRIVATE KEY-----`

It's not the same thing and it won't work. Instead you need to convert the key to the old format using openssl rsa. Like this:

openssl rsa -in key_in_pkcs1_or_pkcs8.pem -out key_in_pkcs1.pem

MySQL (v5.5.35) on Ubuntu 12.04 is using an SSL implementation called yaSSL (v2.2.2). It expect keys to be in the PKCS #1 format and doesn't support the PKCS #8 format used by OpenSSL 1.0 and newer. If you simply change the header and footer, as suggested by other posts in this thread, MySQL/yaSSL won't complain, but you'll be unable to connect and instead end up with an error like this:

ERROR 2026 (HY000): SSL connection error: protocol version mismatch

Ubuntu 14.04 comes with OpenSSL 1.0.1f and new settings. Among other things, it will generate certificates with SHA256 digests instead of SHA1, which was used in earlier versions. Incidentially, the yaSSL version bundled with MySQL doesn't support this either.

If you're generating certificates for use with MySQL, remember to make sure the RSA keys are converted to the traditional PKCS #1 PEM format and that certificates are using SHA1 digests.

Here's an example of how to generate your own CA, a server certificate and a client certificate.

# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem

# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem

Solution 2:

This helped me:

The header and footer of the file server-key.pem looked like that:

-----BEGIN PRIVATE KEY-----
...
...
-----END PRIVATE KEY-----

But it requires something like that:

-----BEGIN RSA PRIVATE KEY-----
...
...
-----END RSA PRIVATE KEY-----

Note the BEGIN RSA PRIVATE KEY

In order to see the log:

sudo vim /var/log/mysql/error.log

Hope this helps.

Related

How can I stop unattended-upgrades from rebooting the machine?
How to swap Ctrl and Fn on a Lenovo Thinkpad keyboard?
what happened to json_encode in 13.10 php?
persist port routing from 80 to 8080
How to assign hot-keys to control Rhythmbox?
How to completely restart script from inside the script itself
GRUB not responding to keyboard
How to umount non-sudo sshfs created directory
Overwrite previous output in Bash instead of appending it
How do I find out if there will be a fsck during the next boot?
How can I run emacs in gnome terminal without popup interface?
Find the most frequent number in a NumPy array