Go to Qiita Advent Calendar 2024 Top
LoginSignup
8
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@syunchanp

mysql 5.7.x でSSL指定方法

Last updated at Posted at 2016-12-11

目的

my.cnfの設定を備忘録としておくことを目的にしています

参考

 詳解MySQL 5.7 止まらぬ進化に乗り遅れないためのテクニカルガイドを参考にしました

環境

rpm : mysql-community-server-5.7.14-1.el7.x86_64 他
OS : centos7.1 on docker

作業

yum を利用して mysql5.7をインストール

  • yum -y install mariadb-server

data/pemの格納ボリュームを明確にする

  • /var/lib/mysql

pemを作成する

  • mysql_ssl_rsa_setup --datadir=/var/lib/mysql
  • 以下のpemが出来上がることを確認する
  • clientには、ca.pemを提供する
pem ファイル my.cnf利用 client
ca.pem
ca-key.pem
client-key.pem
client-cert.pem
server-key.pem
server-cert.pem
private_key.pem
public_key.pem
  • chown mysql *.pem

my.cnf にpemファイルを記述する

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

ssl-ca=/var/lib/mysql/ca-key.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem

log-error=/var/log/mysqld.log

サーバを実行しエラーが無いことを確認する

show variables like '%ssl%';
+---------------+-------------------------------+
| Variable_name | Value                         |
+---------------+-------------------------------+
| have_openssl  | YES                           |
| have_ssl      | YES                           |
| ssl_ca        | /var/lib/mysql/ca-key.pem     |
| ssl_capath    |                               |
| ssl_cert      | /var/lib/mysql/server-cert.pem|
| ssl_cipher    |                               |
| ssl_crl       |                               |
| ssl_crlpath   |                               |
| ssl_key       | /var/lib/mysql/server-key.pem |
+---------------+-------------------------------+
9 rows in set (0.01 sec)

エラーが出ている場合

pemファイルのパーミッションが適切でない場合

2016-12-11T07:06:15.894162Z 0 [ERROR] SSL error: Unable to get private key from '/var/lib/mysql/server-key.pem'
2016-12-11T07:06:15.894178Z 0 [Warning] Failed to set up SSL because of the following SSL library error: Unable to get private key

pemファイルが適切に設定されていない場合

2016-12-11T07:05:34.829599Z 0 [Warning] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

ssl-ca にca-key.pemではなく ca.pemを設定した場合

2016-12-11T07:07:52.345063Z 0 [Warning] CA certificate /var/lib/mysql/ca.pem is self signed.

SSL用アカウントを用意する

 mysql> grant ALL PRIVILEGES on *.* to 'ssl2'@'localhost' identified by 'PassWord@01' require SSL;

クライアントから接続してみる


 mysql -ussl -p --ssl --ssl-mode=REQUIRED
mysql> \s

mysql  Ver 14.14 Distrib 5.7.16, for Linux (x86_64) using  EditLine wrapper

Connection id:          9
Current database:
Current user:           ssl@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.14 MySQL Community Server (GPL)
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /var/lib/mysql/mysql.sock
Uptime:                 34 min 6 sec
8
6
1

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
8
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?