I have been able to setup my MySQL to use LetsEncrypt certificates with the steps below, unfortunately it is issuing warnings about official certs being self-signed (like from DigiCert, Comodo, etc…), so I wonder if there’s something missing from the configuration. anyways, here’s my ssl configuration:
(mysqld)
require_secure_transport = on
mysqlx = 0
ssl_capath = /etc/ssl/certs
ssl_ca = /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
ssl_cert = /etc/mysql/cert.pem
ssl_key = /etc/mysql/privkey.pem
ssl_cipher = DHE-RSA-AES256-GCM-SHA384
tls_version = TLSv1.2
the problem
Everything in the ssl_capath
comes up as a warning in the startup log (im doing tail -f /var/log/mysql/error.log
):
YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 (Warning) (MY-010068) (Server) CA certificate /etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem is self signed.
YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 (Warning) (MY-010068) (Server) CA certificate /etc/ssl/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem is self signed.
...
background
the ssl_ca
file is from doing wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
the ssl_cert
is from getting my LE live
subfolder cert.pem
file, same with the ssl_key
(from LE’s privkey.pem
). I’ve also restricted cipher and TLS version, but that’s probably not it.
To verify that everything is indeed working correctly, I have added the following to my client configuration (locally, not on that server):
(mysql)
ssl_capath = /etc/ssl/certs
and this session output:
user@localhost:~$ mysql --ssl-mode=VERIFY_IDENTITY -h mydomain.mytld -u remote -p -e "show variables like '%ssl%'; show session status like '%cipher%';"
+-------------------------------------+-------------------------------------------------+
| Variable_name | Value |
+-------------------------------------+-------------------------------------------------+
| admin_ssl_ca | |
| admin_ssl_capath | |
| admin_ssl_cert | |
| admin_ssl_cipher | |
| admin_ssl_crl | |
| admin_ssl_crlpath | |
| admin_ssl_key | |
| have_openssl | YES |
| have_ssl | YES |
| performance_schema_show_processlist | OFF |
| ssl_ca | /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem |
| ssl_capath | /etc/ssl/certs |
| ssl_cert | /etc/mysql/cert.pem |
| ssl_cipher | DHE-RSA-AES256-GCM-SHA384 |
| ssl_crl | |
| ssl_crlpath | |
| ssl_fips_mode | OFF |
| ssl_key | /etc/mysql/privkey.pem |
+-------------------------------------+-------------------------------------------------+
+--------------------------+------------------------------------------------------------------------------------------------------+
| Variable_name | Value |
+--------------------------+------------------------------------------------------------------------------------------------------+
| Current_tls_cipher | DHE-RSA-AES256-GCM-SHA384 |
| Current_tls_ciphersuites | |
| Ssl_cipher | DHE-RSA-AES256-GCM-SHA384 |
| Ssl_cipher_list | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384 |
+--------------------------+------------------------------------------------------------------------------------------------------+