Re: Failed to setup SSL
Thanks, Michael. I used the absolute paths but it still does not work. I think the problem is not because of the relative path because the example showed in the manual also uses relative path (see below): shell> *mysqld --ssl-ca=ca-cert.pem \* *--ssl-cert=server-cert.pem \* *--ssl-key=server-key.pem * For the permission, I used exactly the same as Reindl's (I used his scripts). Since the error messages are still the same, I guess there should be something else wrong? Best regards, Jackie On Sat, Nov 24, 2012 at 5:15 PM, Michael Dykman wrote: > I had noticed that the paths to your certificates were expressed as > relative paths. I think at least part of Reindl's recommendation was to > express fully qualified paths to your certs and to examined the permissions > on those files carefully. SSL is very particular about rejecting security > files which have too-permisive permissions.. > > also, considered tailing /var/log/secure > > On 2012-11-24 8:05 PM, "Jackie Zhang" wrote: > > Dear Reindl, > > Thanks a lot for the reply! > > I tried your scripts (the only difference is the openssl.cnf because I > don't have it) > > Unfortunately, I still failed to start the server with the same message: > > 121124 17:00:06 [Warning] Failed to setup SSL > 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use > > Do you have any idea from the log message? > > Best regards, > Jackie > > > On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald >wrote: > > > > > > > > Am 25.11.2012 00:30, schrieb Jackie Zhang: > > > Hello everyone, > > > > > > I want to setup SSL fo... > >
Re: Failed to setup SSL
I had noticed that the paths to your certificates were expressed as relative paths. I think at least part of Reindl's recommendation was to express fully qualified paths to your certs and to examined the permissions on those files carefully. SSL is very particular about rejecting security files which have too-permisive permissions.. also, considered tailing /var/log/secure On 2012-11-24 8:05 PM, "Jackie Zhang" wrote: Dear Reindl, Thanks a lot for the reply! I tried your scripts (the only difference is the openssl.cnf because I don't have it) Unfortunately, I still failed to start the server with the same message: 121124 17:00:06 [Warning] Failed to setup SSL 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use Do you have any idea from the log message? Best regards, Jackie On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald wrote: > > > Am 25.11.2012 00:30, schrieb Jackie Zhang: > > Hello everyone, > > > > I want to setup SSL fo...
Re: Failed to setup SSL
Dear Reindl, Thanks a lot for the reply! I tried your scripts (the only difference is the openssl.cnf because I don't have it) Unfortunately, I still failed to start the server with the same message: 121124 17:00:06 [Warning] Failed to setup SSL 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use Do you have any idea from the log message? Best regards, Jackie On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald wrote: > > > Am 25.11.2012 00:30, schrieb Jackie Zhang: > > Hello everyone, > > > > I want to setup SSL for mysql server. I followed the manual on > > http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html > > > > I first generated the certificates and key files by strictly following > the > > following link, > > http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html > > with everything verified: > > > > shell> *openssl verify -CAfile ca-cert.pem server-cert.pem > client-cert.pem* > > server-cert.pem: OK > > client-cert.pem: OK > > > > > > But, when I start my server using > > bin/mysqld --ssl-ca=./newcerts/ca-cert.pem \ > > --ssl-cert=./newcerts/server-cert.pem \ > > --ssl-key=./newcerts/server-key.pem > > > > The server started with the following error message: > > 121124 14:41:27 [Warning] Failed to setup SSL > > 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use > > > > Did I miss something? I tried to add > > --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't help. > > > > Please give me some clue... > > i used the script below for generate ca.crt, client.pem, server.pem > this setup works since years for replication as also php-scripts > > [root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh > #!/bin/bash > > DIR="/buildserver/ssl-cert/mysql" > > rm -rf $DIR/cert/ > rm -rf $DIR/db/ > mkdir $DIR/cert/ > mkdir $DIR/db/ > > touch $DIR/db/index.txt > echo "01" > $DIR/db/serial > > rm -f $DIR/ca.key > rm -f $DIR/cert/ca.crt > > openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out > $DIR/cert/ca.crt -config $DIR/openssl.cnf > > openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr > -days 3650 -config $DIR/openssl.cnf > > openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key > openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 > -config $DIR/openssl.cnf -infiles > $DIR/cert/server.csr > > openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr > -days 3650 -config $DIR/openssl.cnf > openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key > openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 > -config $DIR/openssl.cnf -infiles > $DIR/cert/client.csr > > rm -f $DIR/cert/server.csr > rm -f $DIR/cert/client.csr > rm -f $DIR/cert/01.pem > rm -f $DIR/cert/02.pem > > cat $DIR/cert/server.crt $DIR/cert/server.key > $DIR/cert/server.pem > rm -f $DIR/cert/server.crt > rm -f $DIR/cert/server.key > > cat $DIR/cert/client.crt $DIR/cert/client.key > $DIR/cert/client.pem > rm -f $DIR/cert/client.crt > rm -f $DIR/cert/client.key > > chmod 644 $DIR/cert/* > rm -f /etc/mysql-ssl/* > cp $DIR/cert/* /etc/mysql-ssl/ > chmod 755 /etc/mysql-ssl/ > chmod 644 /etc/mysql-ssl/* > > >
Re: Failed to setup SSL
Am 25.11.2012 00:30, schrieb Jackie Zhang: > Hello everyone, > > I want to setup SSL for mysql server. I followed the manual on > http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html > > I first generated the certificates and key files by strictly following the > following link, > http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html > with everything verified: > > shell> *openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem* > server-cert.pem: OK > client-cert.pem: OK > > > But, when I start my server using > bin/mysqld --ssl-ca=./newcerts/ca-cert.pem \ > --ssl-cert=./newcerts/server-cert.pem \ > --ssl-key=./newcerts/server-key.pem > > The server started with the following error message: > 121124 14:41:27 [Warning] Failed to setup SSL > 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use > > Did I miss something? I tried to add > --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't help. > > Please give me some clue... i used the script below for generate ca.crt, client.pem, server.pem this setup works since years for replication as also php-scripts [root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh #!/bin/bash DIR="/buildserver/ssl-cert/mysql" rm -rf $DIR/cert/ rm -rf $DIR/db/ mkdir $DIR/cert/ mkdir $DIR/db/ touch $DIR/db/index.txt echo "01" > $DIR/db/serial rm -f $DIR/ca.key rm -f $DIR/cert/ca.crt openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out $DIR/cert/ca.crt -config $DIR/openssl.cnf openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr -days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 -config $DIR/openssl.cnf -infiles $DIR/cert/server.csr openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr -days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 -config $DIR/openssl.cnf -infiles $DIR/cert/client.csr rm -f $DIR/cert/server.csr rm -f $DIR/cert/client.csr rm -f $DIR/cert/01.pem rm -f $DIR/cert/02.pem cat $DIR/cert/server.crt $DIR/cert/server.key > $DIR/cert/server.pem rm -f $DIR/cert/server.crt rm -f $DIR/cert/server.key cat $DIR/cert/client.crt $DIR/cert/client.key > $DIR/cert/client.pem rm -f $DIR/cert/client.crt rm -f $DIR/cert/client.key chmod 644 $DIR/cert/* rm -f /etc/mysql-ssl/* cp $DIR/cert/* /etc/mysql-ssl/ chmod 755 /etc/mysql-ssl/ chmod 644 /etc/mysql-ssl/* signature.asc Description: OpenPGP digital signature