Bug #77825 | mysqld --initialize should not complain about lack of ssl certs | ||
---|---|---|---|
Submitted: | 24 Jul 2015 5:33 | Modified: | 19 Aug 2015 13:46 |
Reporter: | Giuseppe Maxia (OCA) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Installing | Severity: | S2 (Serious) |
Version: | 5.7.8 | OS: | Any |
Assigned to: | Georgi Kodinov | CPU Architecture: | Any |
Tags: | bootstrap, installation |
[24 Jul 2015 5:33]
Giuseppe Maxia
[24 Jul 2015 7:54]
MySQL Verification Team
Hello Giuseppe, Thanks you for the report. Thanks, Umesh
[24 Jul 2015 7:54]
MySQL Verification Team
// 5.7.8 -- Build [umshastr@hod03]/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64: cat docs/INFO_SRC commit: ae3b133e5f7b13d1edf7acf7eee6af2c2b4014e2 date: 2015-07-20 14:02:16 +0200 build-date: 2015-07-20 14:16:07 +0200 short: ae3b133 branch: mysql-5.7.8-rc-release MySQL source 5.7.8 [umshastr@hod03]/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64: bin/mysqld --no-defaults --initialize --basedir=/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64 --datadir=/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64/mydata 2015-07-24T07:05:30.793242Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). 2015-07-24T07:05:30.992580Z 0 [Warning] InnoDB: New log files created, LSN=45790 2015-07-24T07:05:31.023123Z 0 [Warning] InnoDB: Creating foreign key constraint system tables. 2015-07-24T07:05:31.078710Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 5ef6b1ad-31d2-11e5-b925-0010e05f3e06. 2015-07-24T07:05:31.079218Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened. 2015-07-24T07:05:31.079292Z 0 [Warning] Failed to setup SSL 2015-07-24T07:05:31.079309Z 0 [Warning] SSL error: SSL context is not usable without certificate and private key 2015-07-24T07:05:31.079778Z 1 [Warning] A temporary password is generated for root@localhost: H5wVhMd+grzS
[24 Jul 2015 8:06]
MySQL Verification Team
I'm unable to locate exact bug# which fixed this but surely this is not repeatable in daily/trunk builds: // 5.7.9 -- Build [umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.7.9: cat docs/INFO_SRC commit: a43c30d8a6bdbad63ec2d7cbc3af25034270f6c2 date: 2015-07-24 10:16:19 +0530 build-date: 2015-07-24 07:21:33 +0200 short: a43c30d branch: mysql-5.7 MySQL source 5.7.9 [umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.7.9: bin/mysqld --no-defaults --initialize --basedir=/export/umesh/server/binaries/mysql-advanced-5.7.9 --datadir=/export/umesh/server/binaries/mysql-advanced-5.7.9/mydata 2015-07-24T08:03:59.500089Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). 2015-07-24T08:03:59.682255Z 0 [Warning] InnoDB: New log files created, LSN=45790 2015-07-24T08:03:59.713527Z 0 [Warning] InnoDB: Creating foreign key constraint system tables. 2015-07-24T08:03:59.769327Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 8a4e64f0-31da-11e5-bfd5-0010e05f3e06. 2015-07-24T08:03:59.769781Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened. 2015-07-24T08:04:00.283034Z 0 [Warning] CA certificate ca.pem is self signed. 2015-07-24T08:04:00.918491Z 1 [Warning] A temporary password is generated for root@localhost: w=d0!vGdOqwI // 5.8.0 -- Build [umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.8.0: cat docs/INFO_SRC commit: c2fa9b66cb29576ef228249cfeced33d4719be96 date: 2015-07-24 10:17:26 +0530 build-date: 2015-07-24 07:34:25 +0200 short: c2fa9b6 branch: mysql-trunk MySQL source 5.8.0 [umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.8.0: bin/mysqld --no-defaults --initialize --basedir=/export/umesh/server/binaries/mysql-advanced-5.8.0 --datadir=/export/umesh/server/binaries/mysql-advanced-5.8.0/mydata 2015-07-24T08:02:58.013573Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). 2015-07-24T08:02:58.174128Z 0 [Warning] InnoDB: New log files created, LSN=46884 2015-07-24T08:02:58.203043Z 0 [Warning] InnoDB: Creating foreign key constraint system tables. 2015-07-24T08:02:58.259254Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 65a4b3ba-31da-11e5-be2b-0010e05f3e06. 2015-07-24T08:02:58.259740Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened. 2015-07-24T08:02:59.308789Z 0 [Warning] CA certificate ca.pem is self signed. 2015-07-24T08:02:59.664809Z 1 [Warning] A temporary password is generated for root@localhost: %>fja=Kxd3G?
[6 Aug 2015 9:32]
Georgi Kodinov
Hi Giuseppe, I was wondering why is this even a bug. http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html#option_general_ssl says: "For the MySQL server, this option specifies that the server permits but does not require SSL connections. The option is enabled on the server side by default as of MySQL 5.7.5, and disabled before 5.7.5." I know this is not very practical when you're bootstrapping (since the server won't actually listen for connections and thus does not need SSL), but it can be considered a early warning too that you now need SSL key material. As you've pointed out yourself --skip-ssl is all you need as a token of accepting the fact that there won't be possibility to encrypt the connections. I could hush the warning if it's in bootstrap/initialize mode, but IMHO the early warning is a good idea.
[6 Aug 2015 9:54]
Giuseppe Maxia
Hi Joro, Thanks for your comment. I think the confusion arises from the fact that mysql_install_db does everything that is expected (i.e. creates the certificates) while mysqld --initialize does not. If the problem comes from the server inability to create certificates, that warning should be an error.
[6 Aug 2015 13:44]
Georgi Kodinov
Giuseppe, The problem comes from yaSSL's inability to generate key material. So we need to work around in separate scripts/binaries. And it being an error is debatable too. --ssl on the server means support SSL, not disable unencrypted connections. Should that have been the case then it would have been promoted to a error indeed. Anyway I get your point about the default way etc and will hush the warning in this case.
[19 Aug 2015 13:46]
Paul DuBois
Noted in 5.7.9, 5.8.0 changelogs. mysqld --initialize produced warnings about missing SSL files, which is unnecessary because initialization does not require SSL.