I have been setting up a few mysql servers with SSL support for replication .

I used the script provided in the the official mysql documentation  for creating the ssl certificates cause I needed to do it on more then one server and it made more sense to use it then actually creating each certificate one by one.

If you just read the documentation and create the certificate one by one you will be fine but if you use the script your CA certificate will expire after 30 days and after a month you'll be banging your head trying to find out why suddenly SSL connections don't work anymore.
You know your certificates should be valid for a year or more but why doesn't it work anymore ... running this command :

  1. openssl x509 -in cacert.pem -dates -noout

reveals it ...

notBefore=Apr 17 12:20:10 2008 GMT
notAfter=May 17 12:20:10 2008 GMT

Ah .... there you go ... just 30 days for the cacert file ... insane...
The problem was actually reported by someone else in the comments on that documentation page but I was in a hurry ( yeah right ) and didn't go that far with reading it.
Note to self: always read the comments on those pages
So if you use that script make sure you modify it to make the CA valid for more then 30 days.
This line:

  1. openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \
  2. -config $DIR/openssl.cnf

Should be something like:

  2. openssl req -new -x509 -days 365 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \
  3. -config $DIR/openssl.cnf

That is if you want the CA cert to be valid for a year.

Leave a Reply