Description:
If you use mysql_ssl_rsa_setup to generate ssl and rsa files in a directory different than the datadir (which can be more secure) then some configuration is needed before the client and server will pickup the config.
How to repeat:
Generate ssl and rsa files in an non-default location with mysql_ssl_rsa_setup.
Suggested fix:
This is what https://github.com/dveeden/mysslgen does:
============================================================
Please add/change these settings in /etc/mysql/my.cnf:
-------------------------
[mysqld]
ssl-ca = /tmp/sampledir/CAcert.pem
ssl-cert = /tmp/sampledir/server-cert.pem
ssl-key = /tmp/sampledir/server-key.pem
-------------------------
After setting these you need to restart MySQL to activate these settings
The client setup: (Place in ~/.my.cnf or your global config)
[client]
ssl-ca = /tmp/sampledir/CAcert.pem
ssl-cert = /tmp/sampledir/client-cert.pem
ssl-key = /tmp/sampledir/client-key.pem
Don't forget to specify REQUIRE SSL or REQUIRE X509 (if you want to force SSL for a user.
See also: http://dev.mysql.com/doc/refman/5.7/en/grant.html
============================================================
The '/tmp/sampledir' is the actual directory specified as argument, so the user only needs to copy/paste this information.
Please note that mysslgen doesn't do anything for rsa keys and mysql_ssl_rsa_setup does, so these should also be taken in account.