Percona Server moved to https://jira.percona.com/projects/PS

PS 5.7 init script generates certs regardless of .cnf setting

Bug #1673235 reported by fimbulvetr
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
New
Undecided
Unassigned
5.6
New
Undecided
Unassigned
5.7
Triaged
Medium
Unassigned

Bug Description

The /etc/init.d/mysql shipped with PS is not aware of the mysql options auto_generate_certs and sha256_password_auto_generate_rsa_keys.

It checks for the absence of ${MYSQLDATA}/server-key.pem, and if it is not present it calls "/usr/bin/mysql_ssl_rsa_setup --datadir="${MYSQLDATA}" --uid=mysql"

See line 154 of PS distributed /etc/init.d/mysql.

I consider this a bug as if I have my own custom pems/cas, specified in the .cnf, it should honor them and not create it's own.

These extra files could easily lead to confusion if myself or others in the future assume that the ${MYSQLDATA}/*pem files have any legitimacy. WRT to sysadmins, the presence of these files suggests they are indeed functional. In fact, they are useless and misleading.

Workaround by symlinking ${MYSQLDATA}/server-key.pem to your legitimate server-key.

Tags: pkg
Revision history for this message
fimbulvetr (fimbulvetr) wrote :

See https://github.com/percona/percona-server/blob/5.7/build-ps/ubuntu/percona-server-server-5.7.mysql.init#L154

Laurynas Biveinis (laurynas-biveinis)
tags: added: pkg
Revision history for this message
Jericho Rivera (jericho-rivera) wrote :

It seems like *.pem files are created before mysqld can even check if auto_generate_certs and sha256_password_auto_generate_rsa_keys are OFF.

Started mysqld with no *.pem files in the datadir.
root@test1:/var/lib/mysql# ls
auto.cnf ib_buffer_pool ibdata1 ib_logfile0 ib_logfile1 mysql performance_schema sys

Error log shows this upon startup:
< snipped >
2017-03-16T04:26:34.204904Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2017-03-16T04:26:34.204978Z 0 [Note] Skipping generation of SSL certificates as --auto_generate_certs is set to OFF.
2017-03-16T04:26:34.216585Z 0 [Warning] CA certificate ca.pem is self signed.
2017-03-16T04:26:34.216691Z 0 [Note] Skipping generation of RSA key pair as --sha256_password_auto_generate_rsa_keys is set to OFF.
< snipped >

Ended up with new *.pem files in the datadir.
root@test1:/var/lib/mysql# ls
auto.cnf client-cert.pem ibdata1 ibtmp1 performance_schema server-cert.pem xb_doublewrite
ca-key.pem client-key.pem ib_logfile0 mysql private_key.pem server-key.pem
ca.pem ib_buffer_pool ib_logfile1 mysqld_safe.pid public_key.pem sys

Changed in percona-server:
status: New → Confirmed
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1795

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.