1 Topic by RichieX (edited by RichieX 2019-03-15 15:26:27)

  • RichieX
  • Member
  • Offline
  • Registered: 2018-05-18
  • Posts: 15

Topic: MySQL SSL with letsencrypt certificates

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MYSQL edition
- Deployed with iRedMail Easy or the downloadable installer? yes
- Linux/BSD distribution name and version: Ubuntu 18.04.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGinx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

We wan't use the existing MySQL DB (vmail/mailbox/username) to verify e-mail addresses with an external web-application. This data transfer will be only encrypted. I have enabled SSL in the MySQL configuration.

- cert files in /etc/letsencrypt/live/<domain>/*.pem (other locations eg. /etc/mysql/ same problem)
- ssl config in /etc/mysql/mysql.conf.d/mysqld.cnf enabled with 

ssl=1
ssl-key=/etc/letsencrypt/live/<domain>/privkey.pem
ssl-cert=/etc/letsencrypt/live/<domain>/cert.pem
ssl-ca=/etc/letsencrypt/live/<domain>/fullchain.pem

-  "sudo -u mysql cat /etc/letsencrypt/live/<domain>/fullchain.pem" can read this file

I get this error in mysql error log:

[Warning] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

and

mysql> SHOW GLOBAL VARIABLES LIKE '%ssl%';
...
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
...

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,091

Re: MySQL SSL with letsencrypt certificates

Check permission of directories below:

- /etc/letsencrypt/live/
- /etc/letsencrypt/archive/

Can MySQL daemon user access them?

3 Reply by RichieX (edited by RichieX 2019-03-18 22:20:04)

  • RichieX
  • Member
  • Offline
  • Registered: 2018-05-18
  • Posts: 15

Re: MySQL SSL with letsencrypt certificates

ZhangHuangbin wrote:

Check permission of directories below:

- /etc/letsencrypt/live/
- /etc/letsencrypt/archive/

drwxr-xr-x 3 root root 4096 Jun  6  2018 live
drwxr-xr-x 3 root root 4096 Jun  6  2018 archive
root@mx:/# ls -l /etc/letsencrypt/live/
total 4
drwxr-xr-x 2 root root 4096 Feb 11 15:58 <domain>

and so on ...

Can MySQL daemon user access them?

mysql user can read the files. ( "sudo -u mysql cat /etc/letsencrypt/live/<domain>/fullchain.pem" can read this file)


I think, thats not a file permission problem. I have copied certificate files in /etc/mysql/ and change permission/owner to mysql user with same error.

EDIT: tparrott have the same problem and no answer (until now):
https://serverfault.com/questions/95851 … ths-failed

EDIT2:
tparrott has reinstalled mysql. This is not an option for me.

4 Reply by RichieX

  • RichieX
  • Member
  • Offline
  • Registered: 2018-05-18
  • Posts: 15

Re: MySQL SSL with letsencrypt certificates

I totaly missunderstood the SSL communication beween mysql server and client. Letsencrypt certificates cannot be used in mysql configuration. Certificates must be generated via mysql_ssl_rsa_setup.