Join Log in
Score:0
avatar Server

Establishing SSL with MariaDB10 on Synology

cn flag
Tree28

Can anyone please point me to a solution for enabling SSL connections for MariaDB10 on a Synology device?

The device is a Synology NAS running DSM 7.0.1 (Update 2).

I have:

  1. Created the recommended certificates (ca-key.pem / server-key.pem / server-cert.pem) via:
openssl genrsa -out ca-key.pem 2048
    
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
    
openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem
    -out server-req.pem
    
openssl rsa -in server-key.pem -out server-key.pem
    
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem set_serial 01 -out server-cert.pem

  1. Placed certificates in the '/etc/mariadb/' directory

  2. edited the my.cnf file (ie. '/var/packages/MariaDB10/etc/my.cnf') to include the following:

[mysqld]
ssl
ssl-capath=/etc/mariadb/
ssl-ca=ca-cert.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem
#require_secure_transport=ON #see note below regarding Synology error

Note: the use of require_secure_transport=ON produces an error in the Synology Package center stating 'Failed to start "MariaDB10"...'

  1. Restart MariaDB

  2. MariaDB10 provides the following responses for show variables like '%ssl%'

have_openssl    YES
have_ssl        DISABLED
ssl_ca          ca-cert.pem
ssl_capath      /etc/mariadb/
ssl_cert        server-cert.pem
ssl_key         server-key.pem
85
0 + 0
ssl
cn flag
Tree28
Additional notes: To confirm remote connections two users were created, one did not require SSL and the other did. It is possible to establish a remote connection with the user that does not require an SSL connection. The user that requires an SSL connection is provided with the error message **"SSL connection error: SSL is required but the server doesn't support it"**
0
Reply
markusjm avatar
cn flag
markusjm
You might want to try using absolute paths to the certificates like `ssl_key=/etc/mariadb/server-key.pem` just to rule out any problems with that. In addition, can you provide the actual error that caused MariaDB to fail to start? You'll find it in the file MariaDB was configured to log into.
0
Reply
Score:0
avatar Server
us flag
Tero Kilkanen

Likely the MariaDB for Synology hasn't been compiled with support for SSL, and that is why it doesn't work.

I wouldn't bother with MariaDB SSL. It is better to use SSH tunneling to connect to SQL servers remotely.

First open the tunnel with:

ssh -L 3306:127.0.0.1:3306 [email protected]

And then connect to it:

mysql -h localhost ...
0 + 0
markusjm avatar
cn flag
markusjm
The [have_ssl](https://mariadb.com/kb/en/ssltls-system-variables/#have_ssl) variable shows that it was compiled with it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.