Bug #112571 Updating SSL certificates on the MySQL docker container
Submitted: 29 Sep 2023 9:38 Modified: 29 Sep 2023 12:50
Reporter: Nuno P Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:8.0 OS:Other (Docker)
Assigned to: CPU Architecture:x86

[29 Sep 2023 9:38] Nuno P
Description:
Hello,

I use LetsEncrypt certificates for all my services, and mount those certificates against the MySQL docker container:

docker-compose.yml:

    volumes:
        - /path/to/certs/:/etc/my.cnf.d/certs/:ro

my.cnf:

    [mysqld]
    ssl_cert                        = "/etc/my.cnf.d/certs/fullchain.pem"
    ssl_key                         = "/etc/my.cnf.d/certs/privkey.pem"

If I update those certificates in the Host, do I need to do anything on the container, such as either restarting or run "FLUSH SSL;", or will the container handle the certificates being updated?

Also, I noticed that even though I have my own certificates, MySQL has gone ahead and generated some Server and Client certificates inside the local /var/lib/mysql/ folder. I wonder if it's really using my own certificates, although the paths seem to be the ones I provided, when I look at the live variables on the server. So I'm not sure what the certificates created inside /var/lib/mysql/ are used for.

Many thanks!

How to repeat:
N/A
[29 Sep 2023 11:30] MySQL Verification Team
Hi Mr. P,

Thank you for your bug report.

However, you are not reporting a bug, but asking for a free support.

You will find the answer you are looking for in our Reference Manual. We shall help you with the URL:

https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html#using-encrypted-c...

Not a bug.
[29 Sep 2023 12:50] Nuno P
Thank you. I appreciate your link to the documentation. My understanding is that as of 8.0.16, the new certificates will automatically be used on new connections.

As of 8.0.21, there is a new command "ALTER INSTANCE RELOAD TLS", but it only needs to be run if I'm changing other TLS configurations, and this doesn't need to be run when updating certificates.

Kind regards.
[29 Sep 2023 12:55] MySQL Verification Team
Mr. P,

You are truly welcome.