Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
10.2.11, 10.0(EOL), 10.1(EOL), 10.2(EOL)
-
CentOS Linux release 7.4.1708
Description
Following the directions in https://mariadb.com/kb/en/library/replication-with-secure-connections/, after generating keys following the tutorial at https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/ linked from https://mariadb.com/kb/en/library/secure-connections-overview/, results in an error.
Specifically:
CHANGE MASTER TO
|
MASTER_HOST='master_host_name', |
MASTER_USER='user_name', |
MASTER_PASSWORD='password', |
MASTER_SSL=1, |
MASTER_SSL_CA = 'ca_file_name', |
MASTER_SSL_CAPATH = 'ca_directory_name', |
MASTER_SSL_CERT = 'cert_file_name', |
MASTER_SSL_KEY = 'key_file_name'; |
is misleading, because the variable MASTER_SSL_CAPATH does nothing in 10.2.11
MASTER_SSL_CA, MASTER_SSL_CERT, and MASTER_SSL_KEY must contain full path names for each corresponding file, and changing the value of MASTER_SSL_CAPATH has no effect on these variables. When the filenames are not fully qualified, turning on replication results in
Last_IO_Error: error connecting to master 'repl@10.0.0.1:3306' - retry-time: 10 maximum-retries: 86400
|
message: SSL connection error: SSL_CTX_set_default_verify_paths failed
|
Attachments
Activity
capath is not what it might look like. OpenSSL documents it as
$ man SSL_CTX_load_verify_locations
|
...
|
If CApath is not NULL, it points to a directory containing CA
|
certificates in PEM format. The files each contain one CA certificate.
|
The files are looked up by the CA subject name hash value, which must
|
hence be available. If more than one CA certificate with the same name
|
hash value exist, the extension must be different (e.g. 9d66eef0.0,
|
9d66eef0.1 etc). The search is performed in the ordering of the
|
extension number, regardless of other properties of the certificates.
|
Use the c_rehash utility to create the necessary links.
|
|
|
The certificates in CApath are only looked up when required, e.g. when
|
building the certificate chain or when actually performing the
|
verification of a peer certificate.
|
If you have /etc/ssl/certs/ on your system, see what it looks like. That's, I suppose, what a proper CApath should be.
We need to clarify --ssl-capath in the manual.
Hi, I have also an issue with --ssl-capath on MariaDB with YaSSL.
I am more or less just an enduser and admin setting up systems based on the documentation and forum support.
My Use-Case:
I need to trust the certificate provided by my OpenSource Software client (provided as .crt), to encrypt the connection between client and server, but I can not get it running.
As stated in https://mariadb.com/kb/en/library/ssltls-system-variables/#ssl_capath I created a .pem file using
openssl x509 -in <zertifikat.crt> -inform DER -out <sinnvollername.pem> -outform PEM
|
As I have currently only one .pem file, I specified the path to it in 50-server.cnf [mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
|
ssl-cert=/etc/mysql/ssl/server-cert.pem
|
ssl-key=/etc/mysql/ssl/server-key.pem
|
ssl-capath=/etc/mysql/capath/client.pem
|
After restart "have_ssl" turns to DISABLED.
|
|
Server version: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0 |
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. |
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
|
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%'; |
+---------------------+-----------------------------------+
|
| Variable_name | Value |
|
+---------------------+-----------------------------------+
|
| have_openssl | NO |
|
| have_ssl | DISABLED |
|
| ssl_ca | /etc/mysql/ssl/ca-cert.pem |
|
| ssl_capath | /etc/mysql/capath/client.pem |
|
| ssl_cert | /etc/mysql/ssl/server-cert.pem |
|
| ssl_cipher | |
|
| ssl_crl | |
|
| ssl_crlpath | |
|
| ssl_key | /etc/mysql/ssl/server-key.pem |
|
| version_ssl_library | YaSSL 2.4.4 | |
+---------------------+-----------------------------------+
|
Could you please provide some detailed information how to set up -ssl_capath with YaSSL and an example how to create the new file containing the concatenated individual certificate files in the tree? I understand that this should include the trustline of the certs. With only 5 clients I need to set up, this still may lead to several isses, if the certs or trust of chain is mixed up during concatenating the certs.
Is there a troubleshooting guideline available to investigate issues with ssl?
Thank you very much!
Geoff made prior changes to the docs around related variables and will carry similar instructions through to CHANGE MASTER.
It looks like you are trying to set the value of the ssl_capath system variable to the path of your client certificate. That is not what the ssl_capath system variable is for. If you want to use a client certificate, then that path would need to be set as the value of the ssl_cert option in one of the client option groups. e.g. [client] or [client-mariadb].
See here:
https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/#client-option-groups
On the server side, you just need to ensure that the certificate of the CA that signed your client certificate is concatenated into the file specified as the ssl_ca system variable. You most likely do not need to use ssl_capath at all.
The following documentation pages have been updated:
https://mariadb.com/kb/en/library/change-master-to/
https://mariadb.com/kb/en/library/replication-with-secure-connections/
https://mariadb.com/kb/en/library/secure-connections-overview/#certificate-authorities-cas
I've assigned this to you. Can you please let me know if the new documentation changes clarify things for you?
If you don't want to provide feedback or if you don't have the time to do so, please feel free to re-assign it back to me.
It's not limited to replication, server --ssl-ca* options exhibit the same behavior.
This works:
bin/mysqld_safe \--ssl-ca=/data/bld/10.2/mysql-test/std_data/cacert.pem \--ssl-capath=/data/bld/10.2/mysql-test/std_data/ \--ssl+---------------------+-----------------------------------------------+| Variable_name | Value |+---------------------+-----------------------------------------------+| have_openssl | YES || have_ssl | YES || ssl_ca | /data/bld/10.2/mysql-test/std_data/cacert.pem || ssl_capath | /data/bld/10.2/mysql-test/std_data/ || ssl_cert | || ssl_cipher | || ssl_crl | || ssl_crlpath | || ssl_key | || version_ssl_library | OpenSSL 1.0.1t 3 May 2016 |+---------------------+-----------------------------------------------+But this doesn't:
bin/mysqld_safe \--ssl-ca=cacert.pem \--ssl-capath=/data/bld/10.2/mysql-test/std_data/ \--ssl+---------------------+-------------------------------------+| Variable_name | Value |+---------------------+-------------------------------------+| have_openssl | YES || have_ssl | DISABLED || ssl_ca | cacert.pem || ssl_capath | /data/bld/10.2/mysql-test/std_data/ || ssl_cert | || ssl_cipher | || ssl_crl | || ssl_crlpath | || ssl_key | || version_ssl_library | OpenSSL 1.0.1t 3 May 2016 |+---------------------+-------------------------------------+2017-12-14 2:37:51 140276674546560 [Warning] Failed to setup SSL2017-12-14 2:37:51 140276674546560 [Warning] SSL error: SSL_CTX_set_default_verify_paths failed2017-12-14 2:37:51 140276674546560 [Warning] SSL error: error:02001002:system library:fopen:No such file or directory2017-12-14 2:37:51 140276674546560 [Warning] SSL error: error:2006D080:BIO routines:BIO_new_file:no such file2017-12-14 2:37:51 140276674546560 [Warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib