MariaDB SSL CRL testing issue ?!
[usr@hostname pki]# openssl crl -inform DER -text -noout -in DBversity_Internal_DeviceCA_CRL.crl | grep -A1 ‘XXXXXXXXXXXXXX’
Serial Number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Revocation Date: Dec 6 08:46:28 2016 GMT
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]# date
Fri Dec 9 06:04:44 EST 2016
[usr@hostname pki]#
But MariaDB seems to expect this file to be in PEM (rather than the default DER) format, so you need to converted the version you was using (i.e. The one referenced in the CA file) to PEM format, e.g.:
[usr@hostname pki]# openssl crl -inform DER -outform PEM -text -in DBversity_Internal_DeviceCA_CRL.crl -out DBversity_Internal_DeviceCA_CRL.crl.pem
[usr@hostname pki]# ll -lhtr
-rwxrwxr-x 1 mysql mysql 22K Dec 9 05:59 DBversity_Internal_DeviceCA_CRL.crl
-rwxrwxr-x 1 mysql mysql 106K Dec 19 02:00 DBversity_Internal_DeviceCA_CRL.crl.pem
[usr@hostname pki]#
[usr@hostname pki]# cat /etc/opt/rh/rh-mariadb101/my.cnf
# This group is read both both by the client and the server
# use it for options that affect everything
[client-server]
[client]
ssl
ssl-cipher = AES128+EECDH:AES128+EDH
ssl-ca = /etc/opt/rh/rh-mariadb101/pki/ca.pem
ssl-crl = /etc/opt/rh/rh-mariadb101/pki/DBversity_Internal_DeviceCA_CRL.crl.pem
ssl-verify-server-cert
[mysqld]
ssl
ssl-cipher = AES128+EECDH:AES128+EDH
ssl-ca = /etc/opt/rh/rh-mariadb101/pki/ca.pem
ssl-cert = /etc/opt/rh/rh-mariadb101/pki/mariadb_cert.pem
ssl-key = /etc/opt/rh/rh-mariadb101/pki/mariadb_privatekey.aes
ssl-crl = /etc/opt/rh/rh-mariadb101/pki/DBversity_Internal_DeviceCA_CRL.crl.pem
skip-grant-tables
port = 4306
performance_schema = on
skip-show-database
skip-symbolic-links
symbolic-links = 0
local-infile = 0
bind-address = hostname
wait_timeout = 1800
interactive_timeout = 1800
datadir = /var/opt/rh/rh-mariadb101/lib/mysql
#################### <– MariaDB Plugins –> ###############################################
#pam_use_cleartext_plugin
plugin-dir = /opt/rh/rh-mariadb101/root/usr/lib64/mysql/plugin/
plugin-load = auth_gssapi.so
plugin-load = auth_pam.so
plugin-load = simple_password_check.so
plugin-load = server_audit.so
##################### <– Kerberos configuration –> #######################################
gssapi-keytab-path = /etc/opt/rh/rh-mariadb101/mariadb.keytab
##################### <– Logging switches –> #######################################
general-log
log-error = /var/opt/rh/rh-mariadb101/log/mariadb/mariadb.log
general-log-file = /var/opt/rh/rh-mariadb101/lib/mysql/general_query.log
log-output = file
log_warnings = 3
slow-query-log-file = /var/opt/rh/rh-mariadb101/lib/mysql/slow-query.log
secure_file_priv = /var/opt/rh/rh-mariadb101/log/mariadb/
allow-suspicious-udfs = FALSE
# include all files from the config directory
!includedir /etc/opt/rh/rh-mariadb101/my.cnf.d
[usr@hostname pki]#
[usr@hostname pki]# > /var/opt/rh/rh-mariadb101/log/mariadb/mariadb.log; service rh-mariadb101-mariadb restart ;
spawn service rh-mariadb101-mariadb restart citi
Stopping rh-mariadb101-mariadb: [ OK ]
Enter PEM pass phrase:
Starting rh-mariadb101-mariadb: [ OK ]
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]# more /var/opt/rh/rh-mariadb101/log/mariadb/mariadb.log
2016-12-19 2:55:23 140512675683072 [Note] /opt/rh/rh-mariadb101/root/usr/libexec/mysqld: Normal shutdown
161219 2:55:23 server_audit: STOPPED
2016-12-19 2:55:23 140511815902976 [Note] InnoDB: FTS optimize thread exiting.
2016-12-19 2:55:23 140512675683072 [Note] InnoDB: Starting shutdown…
2016-12-19 2:55:24 140512675683072 [Note] InnoDB: Shutdown completed; log sequence number 23904335992
2016-12-19 2:55:24 140512675683072 [Note] /opt/rh/rh-mariadb101/root/usr/libexec/mysqld: Shutdown complete
161219 02:55:24 mysqld_safe mysqld from pid file /var/run/rh-mariadb101-mariadb/mariadb.pid ended
161219 02:55:25 mysqld_safe Starting mysqld daemon with databases from /var/opt/rh/rh-mariadb101/lib/mysql
2016-12-19 2:55:26 140200177371104 [Note] /opt/rh/rh-mariadb101/root/usr/libexec/mysqld (mysqld 10.1.16-MariaDB) starting as process 12603 …
2016-12-19 2:55:26 140200177371104 [Note] Loaded ‘server_audit.so’ with offset 0x7f82d332c000
2016-12-19 2:55:26 140200177371104 [Note] Loaded ‘auth_gssapi.so’ with offset 0x7f82d3128000
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Using mutexes to ref count buffer pool pages
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: The InnoDB memory heap is disabled
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Memory barrier is not used
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Compressed tables use zlib 1.2.3
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Using Linux native AIO
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Using SSE crc32 instructions
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Completed initialization of buffer pool
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Highest supported file format is Barracuda.
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: 128 rollback segment(s) are active.
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Waiting for purge to start
2016-12-19 2:55:26 140200177371104 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.30-76.3 started; log sequence number 23904335992
2016-12-19 2:55:26 140199128004352 [Note] InnoDB: Dumping buffer pool(s) not yet started
2016-12-19 2:55:26 140200177371104 [Note] Plugin ‘FEEDBACK’ is disabled.
2016-12-19 2:55:26 140200177371104 [Note] GSSAPI plugin : using principal name ‘mariadb/hostname.dbversity.com@DBVERSITY.COM’
161219 2:55:26 server_audit: MariaDB Audit Plugin version 1.4.0 STARTED.
161219 2:55:26 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2016-12-19 2:55:26 140200177371104 [Note] Server socket created on IP: ‘10.40.45.188’.
2016-12-19 2:55:26 140200177371104 [Note] Reading of all Master_info entries succeded
2016-12-19 2:55:26 140200177371104 [Note] Added new Master_info ” to hash table
2016-12-19 2:55:26 140200177371104 [Note] /opt/rh/rh-mariadb101/root/usr/libexec/mysqld: ready for connections.
Version: ‘10.1.16-MariaDB’ socket: ‘/var/lib/mysql/mysql.sock’ port: 4306 MariaDB Server
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]#
[usr@hostname pki]# mysql -u mariadb/hostname.dbversity.com@DBVERSITY.COM
ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[usr@hostname pki]#
Thank you for the article.
Great blog that I enjoyed reading.