Bug #80335 "SSL context is not usable without certificate and private key" in 5.7.11
Submitted: 11 Feb 2016 7:42 Modified: 10 Mar 2016 13:43
Reporter: Roel Van de Paar Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S1 (Critical)
Version:5.7.10, 5.7.11 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL

[11 Feb 2016 7:42] Roel Van de Paar 
Description:
[Warning] CA certificate ca.pem is self signed.

Present in every 5.7.10 error log. Is this correct? Any documentation? Does oracle self-sign certificates?

In 5.7.11 it seems to have changed?

[Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key

Was 5.7.10 and before a mistake?

How to repeat:
Startup mysqld 5.7.10
[12 Feb 2016 0:19] Roel Van de Paar 
Some info here;
http://dev.mysql.com/doc/refman/5.7/en/secure-connections.html
[12 Feb 2016 0:21] Roel Van de Paar 
And here:
http://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-rsa-setup.html
[18 Feb 2016 13:37] Georgi Kodinov 
Roel,

Looks like you've found the RefMan page that answers your questions around self-signing.

But the different error you're getting with 5.7.11 is interesting. 
Can you please provide more detailed steps to reproduce this ?
[18 Feb 2016 13:38] Georgi Kodinov 
And, when this happens, are you still able to open up a SSL connection to that server or not ?
[19 Feb 2016 1:12] Roel Van de Paar 
The credit for finding the warning goes to Vadim Tkachenko.

I tested on my end too. The warning is VERY easy to generate. Simply get 5.7.11 from standard Linux generic tarball x64 download and start it up.

1) wget http://dev.mysql.com/get/Downloads/MySQL-5.7/mysql-5.7.11-linux-glibc2.5-x86_64.tar.gz
2) untar
3) Make a startup script. To do so easily, just do; 
   cd ~
   git clone https://github.com/Percona-QA/percona-qa.git
   cd <your_untarred_dir>
   ~/percona-qa/startup.sh 0
   ./start
   ./cl  # check server is up
   vi log/master.err
   Observe error:

2016-02-19T00:57:13.985715Z 0 [Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key
[19 Feb 2016 1:14] Roel Van de Paar 
Did not verify SSL connectivity further.
[19 Feb 2016 1:16] Roel Van de Paar 
[roel@localhost mysql-5.7.11-linux-glibc2.5-x86_64]$ /sda/mysql-5.7.11-linux-glibc2.5-x86_64/bin/mysql -A -uroot --ssl-mode=VERIFY_IDENTITY -S/sda/mysql-5.7.11-linux-glibc2.5-x86_64/socket.sock test
ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it
[1 Mar 2016 6:35] MySQL Verification Team 
Thank you for the details.
With above steps:

2016-03-01T06:30:50.822865Z 0 [Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key

--

[umshastr@hod03]/export/umesh/server/binaries/mysql-5.7.11: bin/mysql -uroot -S/tmp/mysql_ushastry.sock --ssl-mode=VERIFY_IDENTITY
ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it
[10 Mar 2016 13:43] Georgi Kodinov 
Posted by developer:
 
IMHO this is not a bug. We typically don't debug 3d party scripts, but I've looked at https://github.com/Percona-QA/percona-qa/blob/master/startup.sh out of curiosity.
http://dev.mysql.com/doc/refman/5.7/en/data-directory-initialization.html says:
"
If you want the server to be able to deploy with automatic support for secure connections, use the mysql_ssl_rsa_setup utility to create default SSL and RSA files:

shell> mysql_ssl_rsa_setup

For more information, see Section 4.4.5, “mysql_ssl_rsa_setup — Create SSL/RSA Files”. 
"

Only the MySQL enterprise edition server will create the certificates for you at --initialize time.