Bug #77825 mysqld --initialize should not complain about lack of ssl certs
Submitted: 24 Jul 2015 5:33 Modified: 19 Aug 2015 13:46
Reporter: Giuseppe Maxia (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S2 (Serious)
Version:5.7.8 OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: bootstrap, installation

[24 Jul 2015 5:33] Giuseppe Maxia 
Description:
The recommended method to install the server, instead of the deprecated mysql_install_db, uses mysqld --initialize

When installing with this method, we get two warnings:
2015-07-24T04:45:51.386521Z 0 [Warning] Failed to setup SSL
2015-07-24T04:45:51.386543Z 0 [Warning] SSL error: SSL context is not usable without certificate and private key

Although they are [Warnings], they use language that is usually associated with errors. This makes more difficult for automated tools to recognize what is an error and what is not.

This happens because ssl is enabled by default. However, the initialization should not require ssl, and this restriction should be removed.

How to repeat:
./bin/mysqld --no-defaults --initialize --basedir=$PWD --datadir=$PWD/mydata

Suggested fix:
Workarounds:
1) use --skip-ssl
2) skip all lines containing [Warning] in the output
3) do things manually instead of using scripts
[24 Jul 2015 7:54] MySQL Verification Team 
Hello Giuseppe,

Thanks you for the report.

Thanks,
Umesh
[24 Jul 2015 7:54] MySQL Verification Team 
// 5.7.8

-- Build

[umshastr@hod03]/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64: cat docs/INFO_SRC
commit: ae3b133e5f7b13d1edf7acf7eee6af2c2b4014e2
date: 2015-07-20 14:02:16 +0200
build-date: 2015-07-20 14:16:07 +0200
short: ae3b133
branch: mysql-5.7.8-rc-release

MySQL source 5.7.8

[umshastr@hod03]/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64: bin/mysqld --no-defaults --initialize --basedir=/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64 --datadir=/export/umesh/server/binaries/mysql-5.7.8-rc-linux-glibc2.5-x86_64/mydata
2015-07-24T07:05:30.793242Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2015-07-24T07:05:30.992580Z 0 [Warning] InnoDB: New log files created, LSN=45790
2015-07-24T07:05:31.023123Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2015-07-24T07:05:31.078710Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 5ef6b1ad-31d2-11e5-b925-0010e05f3e06.
2015-07-24T07:05:31.079218Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2015-07-24T07:05:31.079292Z 0 [Warning] Failed to setup SSL
2015-07-24T07:05:31.079309Z 0 [Warning] SSL error: SSL context is not usable without certificate and private key
2015-07-24T07:05:31.079778Z 1 [Warning] A temporary password is generated for root@localhost: H5wVhMd+grzS
[24 Jul 2015 8:06] MySQL Verification Team 
I'm unable to locate exact bug# which fixed this but surely this is not repeatable in daily/trunk builds:

// 5.7.9

-- Build
[umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.7.9: cat docs/INFO_SRC
commit: a43c30d8a6bdbad63ec2d7cbc3af25034270f6c2
date: 2015-07-24 10:16:19 +0530
build-date: 2015-07-24 07:21:33 +0200
short: a43c30d
branch: mysql-5.7

MySQL source 5.7.9

[umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.7.9:  bin/mysqld --no-defaults --initialize --basedir=/export/umesh/server/binaries/mysql-advanced-5.7.9 --datadir=/export/umesh/server/binaries/mysql-advanced-5.7.9/mydata
2015-07-24T08:03:59.500089Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2015-07-24T08:03:59.682255Z 0 [Warning] InnoDB: New log files created, LSN=45790
2015-07-24T08:03:59.713527Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2015-07-24T08:03:59.769327Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 8a4e64f0-31da-11e5-bfd5-0010e05f3e06.
2015-07-24T08:03:59.769781Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2015-07-24T08:04:00.283034Z 0 [Warning] CA certificate ca.pem is self signed.
2015-07-24T08:04:00.918491Z 1 [Warning] A temporary password is generated for root@localhost: w=d0!vGdOqwI

// 5.8.0
-- Build
[umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.8.0: cat docs/INFO_SRC
commit: c2fa9b66cb29576ef228249cfeced33d4719be96
date: 2015-07-24 10:17:26 +0530
build-date: 2015-07-24 07:34:25 +0200
short: c2fa9b6
branch: mysql-trunk

MySQL source 5.8.0

[umshastr@hod03]/export/umesh/server/binaries/mysql-advanced-5.8.0: bin/mysqld --no-defaults --initialize --basedir=/export/umesh/server/binaries/mysql-advanced-5.8.0 --datadir=/export/umesh/server/binaries/mysql-advanced-5.8.0/mydata
2015-07-24T08:02:58.013573Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2015-07-24T08:02:58.174128Z 0 [Warning] InnoDB: New log files created, LSN=46884
2015-07-24T08:02:58.203043Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2015-07-24T08:02:58.259254Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 65a4b3ba-31da-11e5-be2b-0010e05f3e06.
2015-07-24T08:02:58.259740Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2015-07-24T08:02:59.308789Z 0 [Warning] CA certificate ca.pem is self signed.
2015-07-24T08:02:59.664809Z 1 [Warning] A temporary password is generated for root@localhost: %>fja=Kxd3G?
[6 Aug 2015 9:32] Georgi Kodinov 
Hi Giuseppe,

I was wondering why is this even a bug. 

http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html#option_general_ssl says:
"For the MySQL server, this option specifies that the server permits but does not require SSL connections. The option is enabled on the server side by default as of MySQL 5.7.5, and disabled before 5.7.5."

I know this is not very practical when you're bootstrapping (since the server won't actually listen for connections and thus does not need SSL), but it can be considered a early warning too that you now need SSL key material.

As you've pointed out yourself --skip-ssl is all you need as a token of accepting the fact that there won't be possibility to encrypt the connections.

I could hush the warning if it's in bootstrap/initialize mode, but IMHO the early warning is a good idea.
[6 Aug 2015 9:54] Giuseppe Maxia 
Hi Joro,
Thanks for your comment.

I think the confusion arises from the fact that mysql_install_db does everything that is expected (i.e. creates the certificates) while mysqld --initialize does not.
If the problem comes from the server inability to create certificates, that warning should be an error.
[6 Aug 2015 13:44] Georgi Kodinov 
Giuseppe, 

The problem comes from yaSSL's inability to generate key material. So we need to work around in separate scripts/binaries.

And it being an error is debatable too. --ssl on the server means support SSL, not disable unencrypted connections. Should that have been the case then it would have been promoted to a error indeed.

Anyway I get your point about the default way etc and will hush the warning in this case.
[19 Aug 2015 13:46] Paul DuBois 
Noted in 5.7.9, 5.8.0 changelogs.

mysqld --initialize produced warnings about missing SSL files, which
is unnecessary because initialization does not require SSL.