mysql_ssl_rsa_setup generates server-key.pem inacessible by mysqld
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-5.7 (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
5.7.26-
MySQL 5.7 should sort of automatically get around with SSL key generation.
The problem is that included mysql_ssl_rsa_setup script creates
/var/lib/
But it has to be readable by mysqld to be of any usefulness
say "chown :mysql" and "chmod g+r" solved it for me.
I wonder if this can be included in the script mentioned so that it works out of the box.
askubuntu etc is filled with 'advice' to go to mysql official doc which does not help, as the recommendations henerate limited permission files again.
By default:
[Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key
after mysql_ssl_
[ERROR] SSL error: Unable to get private key from 'server-key.pem'
after chown fix:
[Warning] CA certificate ca.pem is self signed.
Config is in mysql.conf. d/mysqld. cnf
/etc/mysql/
default disabled: mysql.conf. d/mysqld. cnf:103: # ssl-ca= /etc/mysql/ cacert. pem mysql.conf. d/mysqld. cnf:104: # ssl-cert= /etc/mysql/ server- cert.pem mysql.conf. d/mysqld. cnf:105: # ssl-key= /etc/mysql/ server- key.pem
/etc/mysql/
/etc/mysql/
/etc/mysql/
I confirm that the permissions keys are created are root only: mysql/server- key.pem mysql/server- key.pem
# ll /var/lib/
-rw------- 1 root root 1675 May 10 07:29 /var/lib/
Actually that is just the default of the tool as it comes from upstream
And it has parameters for all you need:
Adding --uid mysql would make it do what you want.
If the defaults of the upstream tool should be changed that would IMHO be an upstream bug.
Unfortunately the user set up to use is not part of the ./configure call so I'm not sure how it would know.
wishlist from Ubuntu perspective, if you happen to file an upstream bug to change the default pelse mention it here so it can be tracked.