did you check the etc location, maybe that the issue.
when webmin generates the cert & key they are placed in /etc/mysql and not /etc âŠ
ok, thought it may copy to etc and config for /etc/mysql using old sslâs
no it does not however I have edited the config file to point to that webmin generated cert & maria fails to start, in fact point the configuration to any cert and maria fails to start
Hopefully someone might investigate whats going on.
I think the original problem in this thread has been solved and the conversation has moved on to some other (related, but different) topic. Can you start a new topic for the new problem?
Ok Iâm not worried about maria ssl on Ubuntu not working, @stefan1959 brought up the point that this configuration worked on other distroâs. TBF I would rather use mysql over maria, have had more database problems, since I switched to VM7 install (maria), than over the previous decade with VM6 & smaller. so therefore I wont be opening another thread on something I have no interest in
The issue is that older MariaDB versions are quite capricious about the private key.
If you look at MariaDB log on Ubuntu 20.04 at /var/log/mysql/error.log youâd see:
2023-04-28 18:25:16 0 [Note] InnoDB: Buffer pool(s) load completed at 230428 18:25:16
SSL error: Unable to get private key from '/etc/mysql/mysql-ssl.key'
2023-04-28 18:25:16 0 [ERROR] Failed to setup SSL
2023-04-28 18:25:16 0 [ERROR] SSL error: Unable to get private key
2023-04-28 18:25:16 0 [ERROR] Aborting
The fix for this problem is as simple as:
-
Editing
/etc/mysql/mysql-ssl.keyand making a start and end blocks look like this:-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -
Run the following command:
openssl rsa -in /etc/mysql/mysql-ssl.key -out /etc/mysql/mysql-ssl.key -
Restart MariaDB with the following command:
systemctl restart mariadb
@Jamie, we need to consider older systems too, as this issue happens in Ubuntu 20.04 and doesnât happen in Ubuntu 22.04âŠ
1 Like
@Ilia what lines in mysql-ssl.key is MariaDB not accepting?
Itâs about key format, I think!
Right, but what is wrong with the original format that you corrected in the comment above?
@Jamie, there is nothing wrong with it technically, itâs just that older versions of MySQL/MariaDB donât understand a newer PKCS#8 format and expect PKCS#1 instead.
Using RSA in START and END blocks signals to a newer versions of openssl that the key should be stored (on re-save) in the old PKCS#1 format, rather than default PKCS#8.
Ah, so maybe we can do that conversion in Webmin. But which versions of MySQL are too old? Iâm surprised to see that Ubuntu 20.04 is has such an old versionâŠ
Iâm also surprised. Also, I cannot answer the question about which are considered to be too old.
Perhaps, we could just run such conversion for all MySQL and MariaDB versions? It appears to work for both new and old versions.
@Ilia now certain are you that PKCS 8 vs 1 is the issue? Because I used a test Ubuntu 20 system and copied a cert to MySQL, which I verified was in PKCS 8 format, and it was loaded just fine.
for sure it doesnât work ⊠I âfixedâ this issue by upgrading maria to v10.6.12
@Jamie, does your Ubuntu 22.04 have MariaDB installed or MySQL? The problem happens with a shipped version of MariaDB 10.3.38.
Itâs running MySQL version 8.0.32-0ubuntu0.20.04.2 , which is what Virtualmin installs by default (or at least, it did when I setup that system).
I checked in this fix to convert the key to PKCS1 for copying to MySQL : Convert SSL private key to PKCS1 for MySQL · virtualmin/virtualmin-gpl@6aa3d6f · GitHub
1 Like
That patch fixes the problem! Thanks!