[MDEV-14636] Master_SSL_CA_Path does not work Created: 2017-12-12  Updated: 2019-12-05  Resolved: 2019-12-05

Status: Closed
Project: MariaDB Server
Component/s: Documentation - Support, SSL
Affects Version/s: 10.0, 10.1, 10.2.11, 10.2
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Juan Assignee: Juan
Resolution: Fixed Votes: 0
Labels: replication, ssl, upstream
Environment:

CentOS Linux release 7.4.1708


 Description   

Following the directions in https://mariadb.com/kb/en/library/replication-with-secure-connections/, after generating keys following the tutorial at https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/ linked from https://mariadb.com/kb/en/library/secure-connections-overview/, results in an error.

Specifically:

CHANGE MASTER TO
 
  MASTER_HOST='master_host_name',
 
  MASTER_USER='user_name',
 
  MASTER_PASSWORD='password',
 
  MASTER_SSL=1,
 
  MASTER_SSL_CA = 'ca_file_name',
 
  MASTER_SSL_CAPATH = 'ca_directory_name',
 
  MASTER_SSL_CERT = 'cert_file_name',
 
  MASTER_SSL_KEY = 'key_file_name';

is misleading, because the variable MASTER_SSL_CAPATH does nothing in 10.2.11

MASTER_SSL_CA, MASTER_SSL_CERT, and MASTER_SSL_KEY must contain full path names for each corresponding file, and changing the value of MASTER_SSL_CAPATH has no effect on these variables. When the filenames are not fully qualified, turning on replication results in 

Last_IO_Error: error connecting to master 'repl@10.0.0.1:3306' - retry-time: 10  maximum-retries: 86400
 
message: SSL connection error: SSL_CTX_set_default_verify_paths failed



 Comments   
Comment by Elena Stepanova [ 2017-12-14 ]

It's not limited to replication, server --ssl-ca* options exhibit the same behavior.
This works:

bin/mysqld_safe \
 
--ssl-ca=/data/bld/10.2/mysql-test/std_data/cacert.pem \
 
--ssl-capath=/data/bld/10.2/mysql-test/std_data/ \
 
--ssl
 
 
 
+---------------------+-----------------------------------------------+
 
| Variable_name       | Value                                         |
 
+---------------------+-----------------------------------------------+
 
| have_openssl        | YES                                           |
 
| have_ssl            | YES                                           |
 
| ssl_ca              | /data/bld/10.2/mysql-test/std_data/cacert.pem |
 
| ssl_capath          | /data/bld/10.2/mysql-test/std_data/           |
 
| ssl_cert            |                                               |
 
| ssl_cipher          |                                               |
 
| ssl_crl             |                                               |
 
| ssl_crlpath         |                                               |
 
| ssl_key             |                                               |
 
| version_ssl_library | OpenSSL 1.0.1t  3 May 2016                    |
 
+---------------------+-----------------------------------------------+

But this doesn't:

bin/mysqld_safe \
 
--ssl-ca=cacert.pem \
 
--ssl-capath=/data/bld/10.2/mysql-test/std_data/ \
 
--ssl
 
 
 
+---------------------+-------------------------------------+
 
| Variable_name       | Value                               |
 
+---------------------+-------------------------------------+
 
| have_openssl        | YES                                 |
 
| have_ssl            | DISABLED                            |
 
| ssl_ca              | cacert.pem                          |
 
| ssl_capath          | /data/bld/10.2/mysql-test/std_data/ |
 
| ssl_cert            |                                     |
 
| ssl_cipher          |                                     |
 
| ssl_crl             |                                     |
 
| ssl_crlpath         |                                     |
 
| ssl_key             |                                     |
 
| version_ssl_library | OpenSSL 1.0.1t  3 May 2016          |
 
+---------------------+-------------------------------------+


2017-12-14  2:37:51 140276674546560 [Warning] Failed to setup SSL
 
2017-12-14  2:37:51 140276674546560 [Warning] SSL error: SSL_CTX_set_default_verify_paths failed
 
2017-12-14  2:37:51 140276674546560 [Warning] SSL error: error:02001002:system library:fopen:No such file or directory
 
2017-12-14  2:37:51 140276674546560 [Warning] SSL error: error:2006D080:BIO routines:BIO_new_file:no such file
 
2017-12-14  2:37:51 140276674546560 [Warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Comment by Sergei Golubchik [ 2017-12-15 ]

capath is not what it might look like. OpenSSL documents it as

$ man SSL_CTX_load_verify_locations
 
...
 
  If CApath is not NULL, it points to a directory containing CA
 
  certificates in PEM format. The files each contain one CA certificate.
 
  The files are looked up by the CA subject name hash value, which must
 
  hence be available.  If more than one CA certificate with the same name
 
  hash value exist, the extension must be different (e.g. 9d66eef0.0,
 
  9d66eef0.1 etc). The search is performed in the ordering of the
 
  extension number, regardless of other properties of the certificates.
 
  Use the c_rehash utility to create the necessary links.
 
 
 
  The certificates in CApath are only looked up when required, e.g. when
 
  building the certificate chain or when actually performing the
 
  verification of a peer certificate.

If you have /etc/ssl/certs/ on your system, see what it looks like. That's, I suppose, what a proper CApath should be.

We need to clarify --ssl-capath in the manual.

Comment by Markus [ 2018-12-11 ]

Hi, I have also an issue with --ssl-capath on MariaDB with YaSSL.
I am more or less just an enduser and admin setting up systems based on the documentation and forum support.
My Use-Case:
I need to trust the certificate provided by my OpenSource Software client (provided as .crt), to encrypt the connection between client and server, but I can not get it running.

As stated in https://mariadb.com/kb/en/library/ssltls-system-variables/#ssl_capath I created a .pem file using 

openssl x509 -in <zertifikat.crt> -inform DER -out <sinnvollername.pem> -outform PEM

As I have currently only one .pem file, I specified the path to it in 50-server.cnf [mysqld]

 ssl-ca=/etc/mysql/ssl/ca-cert.pem 
 ssl-cert=/etc/mysql/ssl/server-cert.pem
 
 ssl-key=/etc/mysql/ssl/server-key.pem
 
 ssl-capath=/etc/mysql/capath/client.pem

After restart "have_ssl" turns to DISABLED.

 
 
Server version: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
 
+---------------------+-----------------------------------+
 
| Variable_name       | Value                             |
 
+---------------------+-----------------------------------+
 
| have_openssl        | NO                                |
 
| have_ssl            | DISABLED                          |
 
| ssl_ca              | /etc/mysql/ssl/ca-cert.pem        |
 
| ssl_capath          | /etc/mysql/capath/client.pem      |
 
| ssl_cert            | /etc/mysql/ssl/server-cert.pem    |
 
| ssl_cipher          |                                   |
 
| ssl_crl             |                                   |
 
| ssl_crlpath         |                                   |
 
| ssl_key             | /etc/mysql/ssl/server-key.pem     |
 
| version_ssl_library | YaSSL 2.4.4                       |
 
+---------------------+-----------------------------------+

Could you please provide some detailed information how to set up -ssl_capath with YaSSL and an example how to create the new file containing the concatenated individual certificate files in the tree? I understand that this should include the trustline of the certs. With only 5 clients I need to set up, this still may lead to several isses, if the certs or trust of chain is mixed up during concatenating the certs.
Is there a troubleshooting guideline available to investigate issues with ssl?
Thank you very much!

Comment by Jacob Moorman (Inactive) [ 2019-04-12 ]

Geoff made prior changes to the docs around related variables and will carry similar instructions through to CHANGE MASTER.

Comment by Geoff Montee (Inactive) [ 2019-04-14 ]

MariaUser1234,

It looks like you are trying to set the value of the ssl_capath system variable to the path of your client certificate. That is not what the ssl_capath system variable is for. If you want to use a client certificate, then that path would need to be set as the value of the ssl_cert option in one of the client option groups. e.g. [client] or [client-mariadb].

See here:

https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/#enabling-two-way-tls-for-mariadb-clients

https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/#client-option-groups

On the server side, you just need to ensure that the certificate of the CA that signed your client certificate is concatenated into the file specified as the ssl_ca system variable. You most likely do not need to use ssl_capath at all.

Comment by Geoff Montee (Inactive) [ 2019-04-15 ]

The following documentation pages have been updated:

https://mariadb.com/kb/en/library/change-master-to/

https://mariadb.com/kb/en/library/replication-with-secure-connections/

https://mariadb.com/kb/en/library/secure-connections-overview/#certificate-authorities-cas

https://mariadb.com/kb/en/library/ssltls-system-variables/

Comment by Geoff Montee (Inactive) [ 2019-04-15 ]

juan.vera,

I've assigned this to you. Can you please let me know if the new documentation changes clarify things for you?

If you don't want to provide feedback or if you don't have the time to do so, please feel free to re-assign it back to me.

Generated at Thu Feb 08 08:15:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.