Re: Failed to setup SSL

Sat, 24 Nov 2012 16:04:26 -0800 


Am 25.11.2012 00:30, schrieb Jackie Zhang:
> Hello everyone,
> 
> I want to setup SSL for mysql server. I followed the manual on
> http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html
> 
> I first generated the certificates and key files by strictly following the
> following link,
> http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
> with everything verified:
> 
> shell> *openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem*
> server-cert.pem: OK
> client-cert.pem: OK
> 
> 
> But, when I start my server using
> bin/mysqld --ssl-ca=./newcerts/ca-cert.pem \
>                  --ssl-cert=./newcerts/server-cert.pem \
>                  --ssl-key=./newcerts/server-key.pem
> 
> The server started with the following error message:
> 121124 14:41:27 [Warning] Failed to setup SSL
> 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use
> 
> Did I miss something? I tried to add
> --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't help.
> 
> Please give me some clue...

i used the script below for generate ca.crt, client.pem, server.pem
this setup works since years for replication as also php-scripts

[root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh
#!/bin/bash

DIR="/buildserver/ssl-cert/mysql"

rm -rf $DIR/cert/
rm -rf $DIR/db/
mkdir $DIR/cert/
mkdir $DIR/db/

touch $DIR/db/index.txt
echo "01" > $DIR/db/serial

rm -f $DIR/ca.key
rm -f $DIR/cert/ca.crt

openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out $DIR/cert/ca.crt 
-config $DIR/openssl.cnf

openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr -days 
3650 -config $DIR/openssl.cnf

openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key
openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 -config 
$DIR/openssl.cnf -infiles
$DIR/cert/server.csr

openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr -days 
3650 -config $DIR/openssl.cnf
openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key
openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 -config 
$DIR/openssl.cnf -infiles
$DIR/cert/client.csr

rm -f $DIR/cert/server.csr
rm -f $DIR/cert/client.csr
rm -f $DIR/cert/01.pem
rm -f $DIR/cert/02.pem

cat $DIR/cert/server.crt $DIR/cert/server.key > $DIR/cert/server.pem
rm -f $DIR/cert/server.crt
rm -f $DIR/cert/server.key

cat $DIR/cert/client.crt $DIR/cert/client.key > $DIR/cert/client.pem
rm -f $DIR/cert/client.crt
rm -f $DIR/cert/client.key

chmod 644 $DIR/cert/*
rm -f /etc/mysql-ssl/*
cp $DIR/cert/* /etc/mysql-ssl/
chmod 755 /etc/mysql-ssl/
chmod 644 /etc/mysql-ssl/*

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to