【发布时间】:2020-08-26 17:30:35
【问题描述】:
我正在尝试在我的 WHM 服务器上为 mysql 设置 SSL。我一直在关注official cPanel documentation,但遇到了问题。我已经创建了所有的证书和密钥,将所有者设置为 mysql,并将指定的行添加到 my.cnf 文件中,但是在重新启动 mysql 并运行以下命令后,它给出了这个错误:
root@euk-92874 [~]# mysql -e "show variables like '%ssl%';"
ERROR 2026 (HY000): SSL connection error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
这是 my.cnf 文件(我已经尝试了带和不带 ' 引号的路径):
# This group is read both both by the client and the server
# use it for options that affect everything
#
#[client-server]
#
# include all files from the config directory
#
#!includedir /etc/my.cnf.d
[mysqld]
default-storage-engine=MyISAM
open_files_limit=10000
local-infile=0
datadir=/var/lib/mysql
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
#symbolic-links=0
max_user_connections=200
max_connections=500
interactive_timeout=300
wait_timeout=200
join_buffer_size = 128M
connect_timeout=300
#group_concat_max_len=2;
max-allowed-packet = 32M
max-connect-errors = 1000000
### INNODB
#innodb_buffer_pool_size=1000M
innodb_flush_log_at_trx_commit=1
innodb_file_per_table=1
## You may want to tune the below depending on number of cores and disk sub
innodb_write_io_threads=4
#innodb_io_capacity=20000
#innodb_io_capacity_max=40000
innodb_doublewrite=1
innodb_log_file_size=512M
innodb_log_files_in_group=2
innodb_buffer_pool_instances=2
innodb_thread_concurrency=16
## avoid statistics update when doing e.g show tables
innodb_stats_on_metadata=0
innodb_file_format=barracuda
innodb_flush_method = O_DIRECT
#REPLICATION SPECIFIC _ GENERAL
#server_id must be unique across all mysql servers participating in replication.
#OTHER THINGS, BUFFERS ETC
key_buffer_size = 256M
sort_buffer_size = 512K
read_buffer_size = 4M
read_rnd_buffer_size = 12M
myisam_sort_buffer_size = 64M
skip_name_resolve
table_cache = 750M
query_cache_limit = 30M
query_cache_size = 48M
tmp_table_size = 512M
max_heap_table_size = 256M
memlock=0
sysdate_is_now=1
max_connections=2000
thread_cache_size=256M
query_cache_type = 2
table_open_cache=1024
lower_case_table_names=0
thread_concurrency = 4
max_allowed_packet=268435456
ssl
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca='/mysql_keys/ca-cert.pem'
ssl-cert='/mysql_keys/server-cert.pem'
ssl-key='/mysql_keys/server-key.pem'
[mysqldump]
quick
max_allowed_packet = 512M
[mysql]
no-auto-rehash
[client]
ssl
ssl-cert='/mysql_keys/client-cert.pem'
ssl-key='/mysql_keys/client-key.pem'
[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M
[mysqld_safe]
#log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
证书和密钥在文件夹中:
root@euk-92265 [~]# ls -la /mysql_keys
total 40
drwxr-xr-x 2 mysql mysql 4096 May 11 09:00 ./
drwxr-xr-x. 23 root root 4096 May 11 09:35 ../
-rw-r--r-- 1 mysql mysql 1472 May 11 08:54 ca-cert.pem
-rw-r--r-- 1 mysql mysql 1679 May 11 08:53 ca-key.pem
-rw-r--r-- 1 mysql mysql 1346 May 11 08:57 client-cert.pem
-rw-r--r-- 1 mysql mysql 1675 May 11 08:57 client-key.pem
-rw-r--r-- 1 mysql mysql 1123 May 11 08:57 client-req.pem
-rw-r--r-- 1 mysql mysql 1346 May 11 08:56 server-cert.pem
-rw-r--r-- 1 mysql mysql 1675 May 11 08:56 server-key.pem
-rw-r--r-- 1 mysql mysql 1155 May 11 08:56 server-req.pem
我也会提供一个日志,但我不确定在哪里可以找到它。有人有什么想法吗?
【问题讨论】:
-
ssl 文件真的在'/mysql_keys' 目录中吗?什么权限(通过编辑您的问题包括
ls -la /mysql_keys)? -
是的,他们在那里 - 我已经更新了问题
-
尝试查看mysql错误日志。
chmod go-r /mysql_keys/server*key.pemsomethings 拒绝打开公开可读的服务器密钥。是否需要 selinux 标签才能正确读取它们?不相关。default-storage-engine=MyISAM看起来像一个错误,因为你有 1G 的缓冲池大小。 -
mysql日志文件在哪里?我试图找到它,但找不到
-
可能在 centos 上记录。
journalctl -u mariadb.service或mysql.service
标签: mysql ssl centos cpanel whm