2015年8月4日火曜日

MySQL 5.7.8をrpmで入れると、初回のservice mysqld startのタイミングでSSL証明書も作ってくれる

日々の覚書: MySQL 5.7.6からSSL周りのセットアップが扱いやすくなった のmysql_ssl_rsa_setup がそのまま/etc/init.d/mysqld の中で呼ばれるようになった…というだけの話なんですが、理屈を知らないとエラーログが矛盾してそうに思えることになっていたので解説がてら。


# rpm -i mysql-community-server-5.7.8-0.3.rc.el5.x86_64.rpm mysql-community-common-5.7.8-0.3.rc.el5.x86_64.rpm mysql-community-client-5.7.8-0.3.rc.el5.x86_64.rpm mysql-5.7.8-0.3.rc.el5.x86_64.rpm mysql-community-libs-5.7.8-0.3.rc.el5.x86_64.rpm mysql-community-libs-compat-5.7.8-0.3.rc.el5.x86_64.rpm
..

# less /var/log/mysqld.log
2015-07-15T07:44:47.363530Z 0 [Warning] InnoDB: New log files created, LSN=45790
2015-07-15T07:44:47.504281Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2015-07-15T07:44:47.582258Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 5dd4d949-2ac5-11e5-8a55-0242ac11000a.
2015-07-15T07:44:47.586384Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2015-07-15T07:44:47.586799Z 0 [Warning] Failed to setup SSL
2015-07-15T07:44:47.586825Z 0 [Warning] SSL error: SSL context is not usable without certificate and private key
2015-07-15T07:44:47.587546Z 1 [Warning] A temporary password is generated for root@localhost: 0J:ra.dZgrmF
150715 16:44:52 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
2015-07-15T07:44:52.939037Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2015-07-15T07:44:52.940030Z 0 [Note] /usr/sbin/mysqld (mysqld 5.7.8-rc) starting as process 413 ...
..
2015-07-15T07:44:53.156280Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2015-07-15T07:44:53.156620Z 0 [Warning] CA certificate ca.pem is self signed.
2015-07-15T07:44:53.156875Z 0 [Note] Server hostname (bind-address): '*'; port: 3306
2015-07-15T07:44:53.156942Z 0 [Note] IPv6 is available.
2015-07-15T07:44:53.156952Z 0 [Note]   - '::' resolves to '::';
2015-07-15T07:44:53.156957Z 0 [Note] Server socket created on IP: '::'.
2015-07-15T07:44:53.158530Z 0 [Note] InnoDB: Buffer pool(s) load completed at 150715 16:44:53
2015-07-15T07:44:53.173689Z 0 [Note] Event Scheduler: Loaded 0 events
2015-07-15T07:44:53.174035Z 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.7.8-rc'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)

* "[Warning] Failed to setup SSL"と言いながら
* "[Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them." と言って
* "[Warning] CA certificate ca.pem is self signed." とまとめる。


というのは、1つ目の"Failed to setup SSL"はmysqld --initializeのタイミングで呼ばれているので、この時点ではSSL証明書がなくてmysqld起動時のSSL有効化に失敗する。
/etc/init.d/mysqldの中では、 mysqld --initialize => mysql_ssl_rsa_setup => mysqld_safe の順番で呼んでいるので、
2つ目の"Found ca.pem"はmysqld_safeから起動されたmysqldが、その前に走っていたmysql_ssl_rsa_setupで作成されたSSL証明書を拾ってSSLを有効化にして起動している。
3つ目は読んで字のごとく。

5.7.5以降 mysqldの--ssl がデフォルトで有効になっているので、クライアント側でca.pemを使ってSSL接続するようにしさえすればそれだけでOK。

0 件のコメント :

コメントを投稿