This brief tutorial shows students and new users how to connect to MariaDB via SSL/TLS on Ubuntu 20.04 | 18.04.
When you install the MariaDB server, it will default allow connections from any system for users with the correct credentials.
If you want to add another layer of security, you can enable SSL/TLS settings and force all users to connect securely.
For this tutorial, we will create a self-signed certificate to configure with MariaDB.
To get started with configuring MariaDB with SSL/TLS certificates, follow the steps below:
Create SSL Cert
Since we’re creating self-signed certificates, simply run the commands below to create a directory where the cert files will be created.
After creating the directory, change it and begin creating your self-signed certificates.
sudo mkdir /var/lib/mysql/pki cd /var/lib/mysql/pki
Now that the directory is created and you have changed into it, run the commands below to create the CA certificate and private key.
Create a CA key and CA cert
sudo openssl genrsa -out ca-key.pem 2048 sudo openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem
The commands above will generate a 2048-bit key length and create a new 1-year (365 days) private key.
You may increase the key length and expiration date if you want for the private key.
While creating the private key, you’ll be prompted for details of the key you’re generating.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MN Locality Name (eg, city) []:BP Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
Next, create a private key for the server. You’ll be prompted as above. Type the details that you want to include with the cert.
Create a server private key
sudo openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem
When you’re done above, export the server’s private key to an RSA-type key using the commands below:
sudo sudo openssl rsa -in server-key.pem -out server-key.pem
After all the above, run the commands below to generate an SSL cert using the commands below:
Generate SSL/TLS cert
sudo openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
In the directory, you should have these files:
- ca-cert.pem
- ca-key.pem
- server-cert.pem
- server-key.pem
- server-req.pem
Configure MariaDB SSL/TLS Connection
After creating a self-signed certificate, go to MariaDB and configure it to connect over SSL/TLS.
Then make MySQL the user owner of the directory above.
sudo chown -R mysql. /var/lib/mysql/pki
When you’re done, open the MariaDB configuration file.
sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
Then add the highlighted lines to enable SSL/TLS
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
#port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
#skip-external-locking
ssl-ca=/var/lib/mysql/pki/ca-cert.pem
ssl-cert=/var/lib/mysql/pki/server-cert.pem
ssl-key=/var/lib/mysql/pki/server-key.pem
..
..
After adding the lines above, restart MariaDB.
sudo systemctl restart mariadb
Next, connect to MariaDB and verify SSL/TLS are loaded by running the statement below:
sudo mysql -u root
Then run the query below:
show variables like '%ssl%';
It should show similar lines as below:
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show variables like '%ssl%'; +---------------------+--------------------------------+ | Variable_name | Value | +---------------------+--------------------------------+ | have_openssl | NO | | have_ssl | YES | | ssl_ca | /var/lig/mysql/pki/chain.pem | | ssl_capath | | | ssl_cert | /var/lib/mysql/pki/cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | /var/lib/mysql/pki/privkey.pem | | version_ssl_library | YaSSL 2.4.4 | +---------------------+--------------------------------+ 10 rows in set (0.001 sec)
The “have_ssl” in MariaDB says whether SSL support is available, while “have_openssl” says, specifically, whether OpenSSL is compiled in.
So, if you have MariaDB built with YaSSL, have_ssl will be YES, while have_openssl will be NO.
To connect via the client over SSL/TLS, run the commands below:
sudo mysql --ssl
Then show the cipher being used:
show status like 'ssl_cipher';
It should display similar lines as below:
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.000 sec)
After enabling SSL/TLS, you should begin creating users and requiring SSL/TLS to log in.
create user dbuser identified by 'password_here' require ssl;
To force existing users to use SSL/TLS, run the query below for each.
grant usage on *.* to 'dbuser_here'@'%' require ssl;
Exit and you’re done.
Conclusion:
This post showed you how to configure MariaDB to connect over SSL/TLS. If you find an error above, please use the form below to report it.
