Installing an SSL Certificate for MySQL

Installing an SSL Certificate for MySQL
5 (100%) 1 vote

From time to time I’ve had users ask me to install an SSL certificate for their MySQL server. Currently this support is not enabled in cPanel automatically, nor is there an option to use it in WHM > Manage Service SSL Certificates at the time this article was written. However, you can install a certificate manually by following a few simple steps.

Checking for SSL Support:

First, you need to make sure that your MySQL installation has SSL support. If you’re using one of the cPanel RPMs, this should already be installed but disabled:

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
.....
7 rows in set (0.00 sec)

If have_openssl or have_ssl is set to ‘NO’, it means that you don’t have MySQL support and you need to either upgrade MySQL, or if you’re running a manually-compiled version, enable SSL support.

Installing the Certificate

If you don’t already have a certificate, you can log into WHM > Generate a SSL Certificate and Signing Request and create one, even if it’s just self-signed.

If you already have an SSL certificate on the server (like a shared SSL), you can use that certificate for MySQL. Generally cPanel stores SSL files in /etc/ssl/certs and /etc/ssl/private, or /usr/share/ssl/certs and /usr/share/ssl/private. Find the path to the .crt, .cabundle, and .key files for your certificate.

Now, the irritating part is that /etc/ssl/private and /usr/share/ssl/private are set to root/700 permissions, so MySQL can’t read the key. cPanel will also reset the permissions of the keys during cPanel updates, so you don’t want to to just change the permissions of the key, but rather copy it to a new location, like /var/cpanel/ssl. First, create the folder and create symlinks from the SSL files, and copy the key over with the right permissions:

mkdir /var/cpanel/ssl/mysql
ln -sf /etc/ssl/certs/thecpaneladmin.com.crt /var/cpanel/ssl/mysql/thecpaneladmin.com.crt
ln -sf /etc/ssl/certs/thecpaneladmin.com.cabundle /var/cpanel/ssl/mysql/thecpaneladmin.com.cabundle
cp /etc/ssl/private/thecpaneladmin.com.key /var/cpanel/ssl/mysql
chown mysql thecpaneladmin.com.key

then edit /etc/my.cnf and add these lines:


[mysqld]
ssl-ca=/var/cpanel/ssl/mysql/thecpaneladmin.com.cabundle
ssl-cert=/var/cpanel/ssl/mysql/thecpaneladmin.com.crt
ssl-key=/var/cpanel/ssl/mysql/thecpaneladmin.com.key

[client]
ssl-ca=/var/cpanel/ssl/mysql/thecpaneladmin.com.cabundle
ssl-cert=/var/cpanel/ssl/mysql/thecpaneladmin.com.crt
ssl-key=/var/cpanel/ssl/mysql/thecpaneladmin.com.key

Obviously, the actual paths will be different for you. When you’ve added these, restart MySQL and enter back into the prompt, and check to make sure it’s enabled:


mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+---------------------------------------------------+
| Variable_name | Value |
+---------------+---------------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/cpanel/ssl/mysql/thecpaneladmin.com.cabundle |
| ssl_capath | |
| ssl_cert | /var/cpanel/ssl/mysql/thecpaneladmin.com.crt |
| ssl_cipher | |
| ssl_key | /var/cpanel/ssl/mysql/thecpaneladmin.com.key |
+---------------+---------------------------------------------------+
7 rows in set (0.00 sec)

And there you go – MySQL is now supported with SSL. Keep in mind that if using a remote client or local .my.cnf file, you need to make sure that you are loading the certificates there as well.

Keep in mind that requiring a client side certificate can break some of your sites, so this configuration is not typically ideal for shared server environments. You may need to manually create additional client certificates and load them via .my.cnf in your user home folders.

2 Comments

  1. Pingback: Need some guidance / insight on an issue via /r/webhosting – Web Designer Solutions

  2. Pingback: Need some guidance / insight on an issue – Web Designer Solutions

Leave a Reply

Your email address will not be published. Required fields are marked *

Log in