Jump to content

MariaDB настройка SSL


Recommended Posts

Создаём каталог для файлов ключей

cd /opt/etc/mysql && mkdir certs && cd certs

Создаём корневой ключ

openssl genrsa 2048 > ca-key.pem

создаём сертификат, используя созданный ключ

openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem

Cоздаём сертификат для сервера

openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem

Подпсываем

openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Проверяем

openssl x509 -in server-cert.pem -text -noout

openssl verify -CAfile ca-cert.pem server-cert.pem  (тут может быть ошибка 18 (при заполнении форм вводите разную почту например)

Настройка сервера 50-server.cnf

# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
ssl-ca=/opt/etc/mysql/certs/ca-cert.pem
ssl-cert=/opt/etc/mysql/certs/server-cert.pem
ssl-key=/opt/etc/mysql/certs/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
ssl-cipher=DHE-RSA-AES256-GCM-SHA384

Перезапускаем /opt/etc/init.d/S70mysqld restart

входим в MariaDB

show variables like "%ssl%";

Настройка клиента

Создаём сертификат клиента

 openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem

Подписываем

openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Проверяем

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

Указываем в 50-mysql-clients.cnf

[mysql]
# Default is Latin1, if you need UTF-8 set this (also in server section)
default-character-set = utf8mb4

ssl-ca=/opt/etc/mysql/certs/ca-cert.pem
ssl-cert=/opt/etc/mysql/certs/client-cert.pem
ssl-key=/opt/etc/mysql/certs/client-key.pem

входим в MariaDB Проверяем status

Готово.

2021-09-20_19-44-44.thumb.jpg.8dd706f1bb9c129c09ea23ead3fcd1aa.jpg

Edited by Meccep45
  • Thanks 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...