1 Topic by HenrikStahl

  • HenrikStahl
  • Member
  • Offline
  • Registered: 2023-09-20
  • Posts: 3

Topic: RHEL upgrade of MariaDB downed service

- iRedMail: 1.6.5 MARIADB edition
- Deployed with downloadable installer
- Red Hat Enterprise Linux release 8.8
- Store mail accounts in MySQL/MariaDB
- Web server: nginx/1.14.1
- Manage mail accounts with iRedAdmin-Pro: Yes

This morning RHEL upgraded MariaDB to Ver 10.3.39-MariaDB

Our mailservice failed after the upgrade.

Error logged: mail1 mysqld[536264]: SSL error: Unable to get certificate from '/etc/pki/tls/certs/iRedMail.crt'

We downgraded back to 10.3.35-MariaDB and service returned to fully working.

I'd google for a while but found exactly nothing about it.

Has anyone else experienced this and possibly found the source of the problem?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by HenrikStahl

  • HenrikStahl
  • Member
  • Offline
  • Registered: 2023-09-20
  • Posts: 3

Re: RHEL upgrade of MariaDB downed service

Most likely this is what causes the error, we are investigating it.

MariaDB 10.3.37 Release Notes

Notable Items

SSL
The server no longer tolerates incorrectly configured SSL (MDEV-29811). If you have enabled SSL in my.cnf but have not configured it properly (for example, a certificate file is missing), MariaDB used to silently disable SSL, leaving you under impression that everything was fine and connections were secure. Since this release, MariaDB will fail to start if SSL is enabled, but cannot be switched on.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,809

Re: RHEL upgrade of MariaDB downed service

If MariaDB is accessed locally and locally only, no need to configure SSL for mariadb.

4 Reply by HenrikStahl

  • HenrikStahl
  • Member
  • Offline
  • Registered: 2023-09-20
  • Posts: 3

Re: RHEL upgrade of MariaDB downed service

ZhangHuangbin wrote:

If MariaDB is accessed locally and locally only, no need to configure SSL for mariadb.

Yes, that's why it has worked, but now she wisely decided not to start without. We will try --skip-ssl or get her to understand our .pem file.

Henrik

5 Reply by tyllee

  • tyllee
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 98

Re: RHEL upgrade of MariaDB downed service

We have the same issue. After last dnf auto-update our iredmail server stopped working due above mentioned error. So we have to downgrade to get mariadb up and running again. We can solve this in many ways now, example stick to the old version of mariadb. But what is the preferred upstream solution for iRedMail? Any changes to my.cnf that you recommend? Remove SSL support in my.cnf? What is the best future solution?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,809

Re: RHEL upgrade of MariaDB downed service

The easiest way should be disable ssl related parameters in my.cnf.