Bug #84531 Add auto_generate_certs=OFF like setting for sysv init and systemd
Submitted: 17 Jan 2017 12:37 Modified: 6 Apr 2018 13:46
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S4 (Feature request)
Version:5.7 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, systemd, sysv init, tls

[17 Jan 2017 12:37] Daniël van Eeden
Description:
See also https://bugs.mysql.com/bug.php?id=84527

For OpenSSL based auto generation of certificates there is an OFF switch, however a similar function seems to be missing for the mysql_ssl_rsa_setup which is called from /etc/init.d/mysqld 

How to repeat:
See description

Suggested fix:
Check auto_generate_certs setting in the SysV init script.
[18 Jan 2017 6:45] MySQL Verification Team
Hello Daniël,

Thank you for the feature request!

Thanks,
Umesh
[6 Apr 2018 13:46] Daniël van Eeden
mysqld.service has:

[Unit]
After=network.target
After=syslog.target
[Install]
WantedBy=multi-user.target
[Service]
ExecStartPre=/usr/bin/mysqld_pre_systemd

When MySQL is on a mountpoint like /data/mysql this could cause mysql to start before the filesystem is mounted. But it could also run the mysqld_pre_systemd before the mountpoint is mounted and mount it while it runs.

Maybe it should depend on local-fs.target or data-mysql.mount (the later being dynamic). Or it could use RequireMountsFor=/path/to/datadir
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#RequiresMountsFor=

For now the workaround seems to be to put "NO_INIT=1" in /etc/sysconfig/mysql or override the systemd config.