Setup MariaDB Self Signed SSL/TLS on Ubuntu

This brief tutorial shows students and new users how to connect to MariaDB via SSL/TLS on Ubuntu 20.04 | 18.04.

By default when you install MariaDB server, it will allow connections from any systems for users with the correct credentials.

If you want to add another layer of security, you can enable SSL/TLS settings and force all users to connect securely.

For this tutorials, we’re going to be creating a self signed certificate to configure with MariaDB.

To get started with configuring MariaDB with SSL/TLS certificates, follow the steps below:

Create SSL Cert

Since we’re creating self-signed certificates, simply run the commands below to create a directory where the cert files will be created.

After creating the directory, change into it and begin creating your self signed certificates.

sudo mkdir /var/lib/mysql/pki
cd /var/lib/mysql/pki

Now that the directory is created and you have changed into it, run the commands below to create the CA certificate and private key.

Create CA key and CA cert

sudo openssl genrsa -out ca-key.pem 2048
sudo openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem

The commands above will generate a 2048 bit key length and create a new 1 year (365 days) private key.

You may increase the key length and expiration date if you want for the private key.

While creating the private key, you’ll be prompted for details of the key you’re generating.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MN
Locality Name (eg, city) []:BP
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Next, create a private key for the server. You’ll be prompted as above. Type the details that you want to include with the cert.

Create server private key

sudo openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem

When you’re done above, export the server’s private key to an RSA-type key using the commands below:

sudo sudo openssl rsa -in server-key.pem -out server-key.pem

After all the above, run the commands below to generate a SSL cert using the commands below:

Generate SSL/TLS cert

sudo openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

In the directory, you should have these files:

  • ca-cert.pem
  • ca-key.pem
  • server-cert.pem
  • server-key.pem
  • server-req.pem

Configure MariaDB SSL/TLS Connection

Now that you’re created a self signed certificate, go to MariaDB and configure to connect over SSL/TLS.

Then make MySQL user owner of the directory above.

sudo chown -R mysql. /var/lib/mysql/pki

When you’re done, open MariaDB configuration file.

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Then add the highlighted lines to enable SSL/TLS

# this is only for the mysqld standalone daemon
[mysqld]

#
# * Basic Settings
#
user                    = mysql
pid-file                = /run/mysqld/mysqld.pid
socket                  = /run/mysqld/mysqld.sock
#port                   = 3306
basedir                 = /usr
datadir                 = /var/lib/mysql
tmpdir                  = /tmp
lc-messages-dir         = /usr/share/mysql
#skip-external-locking
ssl-ca=/var/lib/mysql/pki/ca-cert.pem
ssl-cert=/var/lib/mysql/pki/server-cert.pem
ssl-key=/var/lib/mysql/pki/server-key.pem
.....................................
.....................................

After adding the lines above, restart MariaDB.

sudo systemctl restart mariadb

Next, connect to MariaDB and verify SSL/TLS are loaded by running the statement below:

sudo mysql -u root

Then run the query below:

show variables like '%ssl%'; 

It should show similar lines as below:

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like '%ssl%'; 
+---------------------+--------------------------------+
| Variable_name       | Value                          |
+---------------------+--------------------------------+
| have_openssl        | NO                             |
| have_ssl            | YES                            |
| ssl_ca              | /var/lig/mysql/pki/chain.pem   |
| ssl_capath          |                                |
| ssl_cert            | /var/lib/mysql/pki/cert.pem    |
| ssl_cipher          |                                |
| ssl_crl             |                                |
| ssl_crlpath         |                                |
| ssl_key             | /var/lib/mysql/pki/privkey.pem |
| version_ssl_library | YaSSL 2.4.4                    |
+---------------------+--------------------------------+
10 rows in set (0.001 sec)

The “have_ssl” in MariaDB says whether SSL support is available, while “have_openssl” says, specifically, whether OpenSSL is compiled in.

So, if you have MariaDB built with YaSSL, have_ssl will be YES, while have_openssl will be NO.

To connect via the client over SSL/TLS, run the commands below:

sudo mysql --ssl

Then show the cipher being used:

show status like 'ssl_cipher';

It should display similar lines as below:

+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.000 sec)

After enabling SSL/TLS, you should begin creating users and requiring SSL/TLS to login.

create user dbuser identified by 'password_here' require ssl; 

To force existing users to use SSL/TLS, run the query below for each.

grant usage on *.* to 'dbuser_here'@'%' require ssl;

Exit and you’re done.

Conclusion:

This post showed you how to configure MariaDB to connect over SSL/TLS. If you find error above, please use the form below to report.

You may also like the post below:

How to Install Wine 6 on Ubuntu – Website for Students

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.