Bug #84527 MySQL auto generates ssl certificates even if compiled against YaSSL
Submitted: 17 Jan 2017 8:34 Modified: 14 Feb 2017 14:30
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:5.7.15, 5.7.17 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL

[17 Jan 2017 8:34] Daniël van Eeden
Description:
MySQL Community Edition 5.7.15 (thus compiled against YaSSL) auto generates ssl certificates. However the documentation says this is only done if compiled against OpenSSL.

"As of MySQL 5.7.5, MySQL servers have the capability of automatically generating missing SSL and RSA files at startup, for MySQL distributions compiled using OpenSSL."

https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html
https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_auto_generate_...

This is on CentOS 6 (no systemd)

How to repeat:
rm -rf /path/to/datadir
/etc/init.d/mysql start
ls /path/to/datadir/*.pem 

Suggested fix:
Adjust docs
[17 Jan 2017 9:52] MySQL Verification Team
Hello Daniël,

Thank you for the report and feedback!

Thanks,
Umesh
[17 Jan 2017 11:19] Terje Røsten
It's the initscripts which generates the certs:

 https://github.com/mysql/mysql-server/blob/5.7/packaging/rpm-oel/mysql.init#L120

and this is already documented here:

 http://dev.mysql.com/doc/refman/5.7/en/linux-installation-rpm.html

At the initial start up of the server, the following happens, given that the data directory of the server is empty:

    The server is initialized.

    An SSL certificate and key files are generated in the data directory.

    The validate_password plugin is installed and enabled.

    A superuser account 'root'@'localhost' is created.
[17 Jan 2017 12:38] Daniël van Eeden
@Terje Thanks for the explanation 

I do think at least some info about that should be added to https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html

And it looks like there isn't a auto_generate_certs=OFF like setting for that.
Created https://bugs.mysql.com/bug.php?id=84531 for that.
[14 Feb 2017 14:30] Paul DuBois
Posted by developer:
 
Update to https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html

MySQL provides two ways to create the SSL certificate and key files and RSA key-pair files required to support secure connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing:

* The server can autogenerate these files at startup, for MySQL distributions compiled using OpenSSL.

* Users can invoke the mysql_ssl_rsa_setup utility manually.

  For some distribution types, such as RPM packages, mysql_ssl_rsa_setup invocation occurs during data directory initialization. In this case, the MySQL distribution need not have been compiled using OpenSSL as long as the openssl command is available.