I have been able to setup my MySQL to use LetsEncrypt certificates with the steps below, unfortunately it is issuing warnings about official certs being self-signed (like from DigiCert, Comodo, etc…), so I wonder if there’s something missing from the configuration. anyways, here’s my ssl configuration:
[mysqld] require_secure_transport = on mysqlx = 0 ssl_capath = /etc/ssl/certs ssl_ca = /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem ssl_cert = /etc/mysql/cert.pem ssl_key = /etc/mysql/privkey.pem ssl_cipher = DHE-RSA-AES256-GCM-SHA384 tls_version = TLSv1.2
the problem
Everything in the ssl_capath
comes up as a warning in the startup log (im doing tail -f /var/log/mysql/error.log
):
YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 [Warning] [MY-010068] [Server] CA certificate /etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem is self signed. YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 [Warning] [MY-010068] [Server] CA certificate /etc/ssl/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem is self signed. ...
background
the ssl_ca
file is from doing wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
the ssl_cert
is from getting my LE live
subfolder cert.pem
file, same with the ssl_key
(from LE’s privkey.pem
). I’ve also restricted cipher and TLS version, but that’s probably not it.
To verify that everything is indeed working correctly, I have added the following to my client configuration (locally, not on that server):
[mysql] ssl_capath = /etc/ssl/certs
and this session output:
user@localhost:~$ mysql --ssl-mode=VERIFY_IDENTITY -h mydomain.mytld -u remote -p -e "show variables like '%ssl%'; show session status like '%cipher%';" +-------------------------------------+-------------------------------------------------+ | Variable_name | Value | +-------------------------------------+-------------------------------------------------+ | admin_ssl_ca | | | admin_ssl_capath | | | admin_ssl_cert | | | admin_ssl_cipher | | | admin_ssl_crl | | | admin_ssl_crlpath | | | admin_ssl_key | | | have_openssl | YES | | have_ssl | YES | | performance_schema_show_processlist | OFF | | ssl_ca | /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem | | ssl_capath | /etc/ssl/certs | | ssl_cert | /etc/mysql/cert.pem | | ssl_cipher | DHE-RSA-AES256-GCM-SHA384 | | ssl_crl | | | ssl_crlpath | | | ssl_fips_mode | OFF | | ssl_key | /etc/mysql/privkey.pem | +-------------------------------------+-------------------------------------------------+ +--------------------------+------------------------------------------------------------------------------------------------------+ | Variable_name | Value | +--------------------------+------------------------------------------------------------------------------------------------------+ | Current_tls_cipher | DHE-RSA-AES256-GCM-SHA384 | | Current_tls_ciphersuites | | | Ssl_cipher | DHE-RSA-AES256-GCM-SHA384 | | Ssl_cipher_list | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384 | +--------------------------+------------------------------------------------------------------------------------------------------+