Debian Bug report logs - #927289
mariadb-server-10.3: SSL error: Unable to get private key

Package: mariadb-server-10.3; Maintainer for mariadb-server-10.3 is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>; Source for mariadb-server-10.3 is src:mariadb-10.3 (PTS, buildd, popcon).

Reported by: Olaf van der Spek <olafvdspek@gmail.com>

Date: Wed, 17 Apr 2019 12:57:01 UTC

Severity: normal

Found in version mariadb-10.3/1:10.3.13-2

Done: Otto Kekäläinen <otto@debian.org>

Bug is archived. No further changes may be made.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, olafvdspek@gmail.com, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Wed, 17 Apr 2019 12:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Olaf van der Spek <olafvdspek@gmail.com>:
New Bug report received and forwarded. Copy sent to olafvdspek@gmail.com, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Wed, 17 Apr 2019 12:57:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: mariadb-server-10.3
Version: 1:10.3.13-2
Severity: normal

Dear Maintainer,

I followed https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/ but something went wrong:

2019-04-17 12:24:55 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
SSL error: Unable to get private key from '/etc/mysql/ssl/server-key.pem'
2019-04-17 12:24:55 0 [Warning] Failed to setup SSL
2019-04-17 12:24:55 0 [Warning] SSL error: Unable to get private key

What went wrong?

# cat /etc/mysql/ssl/server-key.pem
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Is a better guide available?
Could this be automated?

Greetings,

Olaf

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mariadb-server-10.3 depends on:
ii  adduser                   3.118
ii  debconf [debconf-2.0]     1.5.71
ii  galera-3                  25.3.25-2
ii  gawk                      1:4.2.1+dfsg-1
ii  iproute2                  4.20.0-2
ii  libc6                     2.28-8
ii  libdbi-perl               1.642-1+b1
ii  libgnutls30               3.6.6-2
ii  libpam0g                  1.3.1-5
ii  libstdc++6                8.3.0-6
ii  lsb-base                  10.2019031300
ii  lsof                      4.91+dfsg-1
ii  mariadb-client-10.3       1:10.3.13-2
ii  mariadb-common            1:10.3.13-2
ii  mariadb-server-core-10.3  1:10.3.13-2
ii  passwd                    1:4.5-1.1
ii  perl                      5.28.1-6
ii  psmisc                    23.2-1
ii  rsync                     3.1.3-6
ii  socat                     1.7.3.2-2
ii  zlib1g                    1:1.2.11.dfsg-1

Versions of packages mariadb-server-10.3 recommends:
ii  libhtml-template-perl  2.97-1

Versions of packages mariadb-server-10.3 suggests:
ii  mailutils [mailx]  1:3.5-3
pn  mariadb-test       <none>
pn  netcat-openbsd     <none>
pn  tinyca             <none>

-- Configuration Files:
/etc/mysql/mariadb.conf.d/50-server.cnf changed:
[server]
[mysqld]
user                    = mysql
pid-file                = /run/mysqld/mysqld.pid
socket                  = /run/mysqld/mysqld.sock
basedir                 = /usr
datadir                 = /var/lib/mysql
tmpdir                  = /tmp
lc-messages-dir         = /usr/share/mysql
query_cache_size        = 16M
log_error = /var/log/mysql/error.log
expire_logs_days        = 10
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci


-- debconf information:
  mariadb-server-10.3/nis_warning:
  mariadb-server-10.3/postrm_remove_databases: false
  mariadb-server-10.3/old_data_directory_saved:

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Wed, 17 Apr 2019 13:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Wed, 17 Apr 2019 13:12:05 GMT) (full text, mbox, link).

Message #10 received at 927289@bugs.debian.org (full text, mbox, reply):

What does this print?

find /etc/mysql/ -ls

Are your file permissions correct?
Does TLS work on any previous version of MariaDB in Debian, a MariaDB
version from MariaDB.org repos or using some MySQL version?

In Debian packaging we can only fix things that "normally" work. If it
is an upstream issue it is out of scope of Debian packaging work.

Also see related https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921151

Acknowledgement sent to Olaf van der Spek <olafvdspek@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Wed, 17 Apr 2019 13:24:02 GMT) (full text, mbox, link).

Message #15 received at 927289@bugs.debian.org (full text, mbox, reply):

Op wo 17 apr. 2019 om 15:09 schreef Otto Kekäläinen <otto@debian.org>:
>
> What does this print?
>
> find /etc/mysql/ -ls

# find /etc/mysql/ -ls
   137133      4 drwxr-xr-x   5 root     root         4096 Apr 17
12:14 /etc/mysql/
   132729      0 lrwxrwxrwx   1 root     root           24 Apr 17
06:56 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
   399024      4 drwxr-xr-x   2 root     root         4096 Apr 17
12:17 /etc/mysql/ssl
   399278      4 -rw-r--r--   1 root     root          981 Apr 17
12:17 /etc/mysql/ssl/client-cert.pem
   399274      4 -rw-r--r--   1 root     root          899 Apr 17
12:16 /etc/mysql/ssl/server-req.pem
   399276      4 -rw-------   1 root     root         1679 Apr 17
12:17 /etc/mysql/ssl/client-key.pem
   399277      4 -rw-r--r--   1 root     root          899 Apr 17
12:17 /etc/mysql/ssl/client-req.pem
   399053      4 -rw-r--r--   1 root     root         1679 Apr 17
12:14 /etc/mysql/ssl/ca-key.pem
   399273      4 -rw-------   1 root     root         1679 Apr 17
12:16 /etc/mysql/ssl/server-key.pem
   399275      4 -rwxr-xr-x   1 root     root          981 Apr 17
12:16 /etc/mysql/ssl/server-cert.pem
   399272      4 -rw-r--r--   1 root     root         1127 Apr 17
12:15 /etc/mysql/ssl/ca-cert.pem
   139576      4 -rwxr-xr-x   1 root     root         1620 Jan 18
20:04 /etc/mysql/debian-start
   137152      4 drwxr-xr-x   2 root     root         4096 Apr 17
12:24 /etc/mysql/mariadb.conf.d
   139714      4 -rw-r--r--   1 root     root         2934 Apr 17
12:24 /etc/mysql/mariadb.conf.d/50-server.cnf
   139568      4 -rw-r--r--   1 root     root          336 Jan  8
22:10 /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
   139567      4 -rw-r--r--   1 root     root          733 Jan  8
22:10 /etc/mysql/mariadb.conf.d/50-client.cnf
   139577      4 -rw-r--r--   1 root     root         1032 Jan  8
22:10 /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf
   137151      4 -rw-r--r--   1 root     root          869 Jan  8
22:10 /etc/mysql/mariadb.cnf
   139615      4 -rw-------   1 root     root          277 Apr 17
07:02 /etc/mysql/debian.cnf
   137134      4 drwxr-xr-x   2 root     root         4096 Apr 17
06:56 /etc/mysql/conf.d
   137136      4 -rw-r--r--   1 root     root           55 Aug  3
2016 /etc/mysql/conf.d/mysqldump.cnf
   137135      4 -rw-r--r--   1 root     root            8 Aug  3
2016 /etc/mysql/conf.d/mysql.cnf
   137137      4 -rw-r--r--   1 root     root          839 Aug  3
2016 /etc/mysql/my.cnf.fallback

> Are your file permissions correct?

Don't know ;)

> Does TLS work on any previous version of MariaDB in Debian, a MariaDB
> version from MariaDB.org repos or using some MySQL version?

It's the first time I try to setup TLS. Maybe it's related to openssl
vs non-openssl?

> In Debian packaging we can only fix things that "normally" work. If it
> is an upstream issue it is out of scope of Debian packaging work.
>
> Also see related https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921151



-- 
Olaf

Message #20 received at 927289@bugs.debian.org (full text, mbox, reply):

Try making the overly broad permissions of
/etc/mysql/ssl/server-key.pem -rwxr-xr-x
to something less world-readable.

Message #25 received at 927289@bugs.debian.org (full text, mbox, reply):

Op wo 17 apr. 2019 om 16:40 schreef Otto Kekäläinen <otto@debian.org>:
>
> Try making the overly broad permissions of
> /etc/mysql/ssl/server-key.pem -rwxr-xr-x
> to something less world-readable.

# chmod 700 server-cert.pem
# service mysql restart

error.log:
SSL error: Unable to get certificate from '/etc/mysql/ssl/server-cert.pem'
2019-04-17 14:41:29 0 [Warning] Failed to setup SSL
2019-04-17 14:41:29 0 [Warning] SSL error: Unable to get certificate


-- 
Olaf

Message #30 received at 927289@bugs.debian.org (full text, mbox, reply):

> > Try making the overly broad permissions of
> > /etc/mysql/ssl/server-key.pem -rwxr-xr-x
> > to something less world-readable.
>
> # chmod 700 server-cert.pem
> # service mysql restart
>
> error.log:
> SSL error: Unable to get certificate from '/etc/mysql/ssl/server-cert.pem'
> 2019-04-17 14:41:29 0 [Warning] Failed to setup SSL
> 2019-04-17 14:41:29 0 [Warning] SSL error: Unable to get certificate

Maybe you need to seek out for SSL experts on what the correct file
permissions or other settings are supposed to be. Based on the info
provided there is nothing I can debug or fix, sorry.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Thu, 25 Apr 2019 18:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Olaf van der Spek <olafvdspek@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Thu, 25 Apr 2019 18:03:03 GMT) (full text, mbox, link).

Message #35 received at 927289@bugs.debian.org (full text, mbox, reply):

Op wo 17 apr. 2019 om 19:45 schreef Otto Kekäläinen <otto@debian.org>:
>
> > > Try making the overly broad permissions of
> > > /etc/mysql/ssl/server-key.pem -rwxr-xr-x
> > > to something less world-readable.
> >
> > # chmod 700 server-cert.pem
> > # service mysql restart
> >
> > error.log:
> > SSL error: Unable to get certificate from '/etc/mysql/ssl/server-cert.pem'
> > 2019-04-17 14:41:29 0 [Warning] Failed to setup SSL
> > 2019-04-17 14:41:29 0 [Warning] SSL error: Unable to get certificate
>
> Maybe you need to seek out for SSL experts on what the correct file
> permissions or other settings are supposed to be. Based on the info
> provided there is nothing I can debug or fix, sorry.

The documentation could be improved. I've created a ticket upstream @
https://jira.mariadb.org/browse/MDEV-19268


-- 
Olaf

Acknowledgement sent to faustin@fala.red:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Wed, 11 Sep 2019 13:45:03 GMT) (full text, mbox, link).

Message #40 received at 927289@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Olaf,
did you finally managed to setup the TLS between client and server?

Let me know if you want me to test something based on
https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/
and
https://mariadb.com/kb/en/library/certificate-creation-with-openssl/.

Faustin

Olaf van der Spek <olafvdspek@gmail.com>,
25/04/2019 – 19:59:27 (+0200):

> The documentation could be improved. I've created a ticket upstream @
> https://jira.mariadb.org/browse/MDEV-19268

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 927289@bugs.debian.org (full text, mbox, reply):

Op wo 11 sep. 2019 om 15:27 schreef Faustin Lammler <faustin@fala.red>:
>
> Hi Olaf,
> did you finally managed to setup the TLS between client and server?
>
> Let me know if you want me to test something based on
> https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/
> and
> https://mariadb.com/kb/en/library/certificate-creation-with-openssl/.

No, I gave up.
I'll give it another try and let you know.


-- 
Olaf

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Thu, 12 Sep 2019 11:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Pietsch Michael <Pietsch@dsm.museum>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Thu, 12 Sep 2019 11:03:03 GMT) (full text, mbox, link).

Message #50 received at 927289@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

In case someone stumbles on this with the error message
SSL error: Unable to get private key from '/some/path/to/private.key'
0 [Warning] Failed to setup SSL
0 [Warning] SSL error: Unable to get private key

Make sure the format of the private key is in PKCS#1 format ("-----BEGIN RSA 
PRIVATE KEY-----" at start of the private key) and not PKCS#8 format 
("-----BEGIN PRIVATE KEY-----"). The PKCS#8 format is default since Buster I 
think when using "openssl req -newkey ..."
It seems like yaSSL doesn't understand that format...

To convert it use:
openssl rsa -in key.pem -out key.pem

Best regards

Michael

[smime.p7s (application/pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Mon, 24 Aug 2020 05:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 24 Aug 2020 05:09:06 GMT) (full text, mbox, link).

Message #55 received at 927289@bugs.debian.org (full text, mbox, reply):

Hello!

If this issue is still relevant, and you have a suggestion how to fix
it, please file a Merge Request on Salsa as a proposal. Thanks!

https://wiki.debian.org/Teams/MySQL/patches

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Mon, 21 Sep 2020 08:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 21 Sep 2020 08:21:04 GMT) (full text, mbox, link).

Message #60 received at 927289@bugs.debian.org (full text, mbox, reply):

Hello Olaf!

Did you try the tip from Michael Pietsch about converting the
certificate to the correct format?

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#927289; Package mariadb-server-10.3. (Mon, 21 Sep 2020 14:48:02 GMT) (full text, mbox, link).

Acknowledgement sent to faustin@fala.red:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 21 Sep 2020 14:48:02 GMT) (full text, mbox, link).

Message #65 received at 927289@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,
the tip from Michael Pietsch seems to have been confirmed in the KB
documentation, see comments from Jean Weisbuch
https://mariadb.com/kb/en/certificate-creation-with-openssl/

So if it's a certificate format problem due to a bad generation
procedure, I guess we could close this.

I have raised this documentation problem in
https://jira.mariadb.org/browse/MDEV-19268

Faustin

[signature.asc (application/pgp-signature, inline)]

Reply sent to Otto Kekäläinen <otto@debian.org>:
You have taken responsibility. (Mon, 21 Sep 2020 16:00:06 GMT) (full text, mbox, link).

Notification sent to Olaf van der Spek <olafvdspek@gmail.com>:
Bug acknowledged by developer. (Mon, 21 Sep 2020 16:00:06 GMT) (full text, mbox, link).

Message #70 received at 927289-done@bugs.debian.org (full text, mbox, reply):

Ok, closing as suggested

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 20 Oct 2020 07:29:37 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Sep 14 06:33:54 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #927289 mariadb-server-10.3: SSL error: Unable to get private key

Debian Bug report logs - #927289
mariadb-server-10.3: SSL error: Unable to get private key