文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >MariaDB MySQL显示安装证书时禁用了have_ssl。

MariaDB MySQL显示安装证书时禁用了have_ssl。
EN

Server Fault用户
提问于 2019-01-23 20:50:19
回答 3查看 12.1K关注 0票数 8

试图在我的mariadb服务器上启用SSL。我已经按照官方的mariadb文档生成了一个ca-key服务器-key服务器-cert。我的机器是带有mariadb 10.1.37的debian 9 kvm

当我以根用户身份运行SHOW VARIABLES LIKE '%ssl';时,我得到以下输出:

代码语言:javascript
复制
+---------------------+--------------------------------+
| Variable_name       | Value                          |
+---------------------+--------------------------------+
| have_openssl        | NO                             |
| have_ssl            | DISABLED                       |
| ssl_ca              | /etc/mysql/ssl/ca-cert.pem     |
| ssl_capath          |                                |
| ssl_cert            | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher          |                                |
| ssl_crl             |                                |
| ssl_crlpath         |                                |
| ssl_key             | /etc/mysql/ssl/server-key.pem  |
| version_ssl_library | YaSSL 2.4.4                    |
+---------------------+--------------------------------+

我多次尝试重新创建证书,包括使用不同的通用名称。证书安装在/etc/mysql/ssl/

我还尝试使用mysqld选项启动--ssl,并在配置中添加ssl=on。我找不到更多与此相关的信息,因为我有YASSL而不是openssl,因为mariadb现在默认使用YASSL编译,除非我遗漏了一些东西,而且YASSL无法使用我的密钥?

如何创建证书和密钥:

代码语言:javascript
复制
openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 365000 \
      -key ca-key.pem -out ca-cert.pem

openssl req -newkey rsa:2048 -days 365000 \
      -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 365000 \
      -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \
      -out server-cert.pem

我的50-server.cnf文件:

代码语言:javascript
复制
    #
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]

#
# * Basic Settings
#
user        = mysql
pid-file    = /var/run/mysqld/mysqld.pid
socket      = /var/run/mysqld/mysqld.sock
port        = 3306
basedir     = /usr
datadir     = /var/lib/mysql
tmpdir      = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address        = 0.0.0.0

#
# * Fine Tuning
#
key_buffer_size     = 16M
max_allowed_packet  = 16M
thread_stack        = 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam_recover_options  = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10

#
# * Query Cache Configuration
#
query_cache_limit   = 1M
query_cache_size        = 16M

#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file    = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit    = 1000
#log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id      = 1
#log_bin            = /var/log/mysql/mysql-bin.log
expire_logs_days    = 10
max_binlog_size   = 100M
#binlog_do_db       = include_database_name
#binlog_ignore_db   = exclude_database_name

#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!

#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
#
ssl-ca = /etc/mysql/ssl/ca-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
#ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
ssl=on

#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci

#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/

# this is only for embedded server
[embedded]

# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

# This group is only read by MariaDB-10.1 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.1]
mysql
ssl
mariadb
EN

回答 3

Server Fault用户

发布于 2019-01-23 21:14:49

经过几个小时的捣乱,我发现mysql无法读取密钥文件。我将文件组设置为mysql。

代码语言:javascript
复制
chown -R mysql:mysql /etc/mysql/ssl/
票数 12
EN

Server Fault用户

发布于 2021-08-06 06:35:31

在RedHat的家人身上也有同样的行为。

SELinux阻止了have_ssl,因为证书不在mysql/mariadb的家中。

您只需将文件移动到mysql用户的主页,您可以使用以下命令找到该文件:

代码语言:javascript
复制
grep mysql /etc/passwd | awk -F ':' '{ print $6}'
票数 1
EN

Server Fault用户

发布于 2021-08-27 17:33:41

我有个不同的问题。我使用OpenSSL生成我的密钥,它创建了一个PKCS#8文件,如下所示:

代码语言:javascript
复制
-----BEGIN PRIVATE KEY-----
[base64 key material]
-----END PRIVATE KEY-----

服务器似乎需要一个PKCS#1文件,该文件如下所示:

代码语言:javascript
复制
-----BEGIN RSA PRIVATE KEY-----
[base64 key material]
----END RSA PRIVATE KEY-----

为了从一种形式转换为另一种形式,您可以使用openssl

代码语言:javascript
复制
$ openssl rsa -in /path/to/pkcs8 > /path/to/pkcs1

一旦我这样做,我就能够启动我的服务器的SSL启用。

新版本的OpenSSL默认使用PKCS#8,而旧版本默认使用PKCS#1文件(用于RSA密钥)。这将解释为什么指南写(和工作!)几年前就有问题了。

MariaDB确实需要支持PKCS#8密钥文件。如果我的MariaDB是针对OpenSSL构建的,我相信这不会成为一个问题,但它使用的YaSSL就像最初的海报一样。

票数 0
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/950451

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档