MySQL SSL error: Unable to get private key

Ok, apparently just changing 'BEGIN PRIVATE KEY' to 'BEGIN RSA PRIVATE KEY' isn't enough.

It must be properly converted from PKCS#8 to PKCS#1 Reference

openssl rsa -in /etc/mysql/ssl/nginx.key -out ~/nginx.key.rsa

As a consolidation of my false leads that helped others:

  • POSIX mode bits and file owner: The mysql user must have read access to all SSL files via user or group privileges. This may mean chown mysql *.pem or adding ssl-private to mysql's groups. (https://serverfault.com/questions/417390/cannot-setup-mysql-ssl-unable-to-read-certificate)

  • AppArmor can cut off file access. You need something like /etc/mysql/** in /etc/apparmor.d/usr.sbin/mysqld. Check /var/log/kern.log and consider aa-complain /usr/sbin/mysqld to get errors rather than denials.(https://forums.mysql.com/read.php?26,393495,393636#msg-393636)

  • Malformatted file contents. SSL library is very bad at complaining accurately. Ensure the full key set works on, say, a web site.

  • The file is missing entirely. Again, in the error message there is no distinction made.

Tags:

Mysql

Encryption

Ubuntu

Ssl

Recent Posts