16

Getting an error while trying to enable encryption:

[ERROR] SSL error: Unable to get private key from '/etc/mysql/ssl/nginx.key' [Warning] Failed to set up SSL because of the following SSL library error: Unable to get private key

/etc/mysql/conf.d/encrypt.cnf:

[mysqld] ssl-ca=/etc/mysql/ssl/nginx.ca ssl-cert=/etc/mysql/ssl/nginx.crt ssl-key=/etc/mysql/ssl/nginx.key

The key is generated like that:

openssl req -newkey rsa:4096 -nodes -keyout nginx.key -subj "/C=US/ST=California/L=Sacramento/O=MyOrg/OU=MyDev/CN=MyApp"

The openssl checks it fine.

I've tried to change permissions, owners, file names, moving to different directories, disabling SELinux (it's already disabled), looking at AppArmor logs (it doesn't block it), changing 'BEGIN/END PRIVATE KEY' to 'BEGIN/END RSA PRIVATE KEY'.

What's wrong with it?

Improve this question

5 Answers 5

Reset to default
15

Ok, apparently just changing 'BEGIN PRIVATE KEY' to 'BEGIN RSA PRIVATE KEY' isn't enough.

It must be properly converted from PKCS#8 to PKCS#1 Reference

openssl rsa -in /etc/mysql/ssl/nginx.key -out ~/nginx.key.rsa
Improve this answer
3
  • 1
    Why did I just search the Internet for an hour for this...thank you. Commented Jun 1, 2018 at 22:09
  • Mine needed this because it was originally generated by LetsEncrypt for my website. But Apache needed no conversion. Commented Jun 1, 2018 at 22:16
  • 1
    The above almost did the trick for me. I am using OpenSSL 3 and had to specify the -traditional option to get PKCS#1 output. Commented Dec 14, 2021 at 12:59
3

As a consolidation of my false leads that helped others:

  • POSIX mode bits and file owner: The mysql user must have read access to all SSL files via user or group privileges. This may mean chown mysql *.pem or adding ssl-private to mysql's groups. (https://serverfault.com/questions/417390/cannot-setup-mysql-ssl-unable-to-read-certificate)

  • AppArmor can cut off file access. You need something like /etc/mysql/** in /etc/apparmor.d/usr.sbin/mysqld. Check /var/log/kern.log and consider aa-complain /usr/sbin/mysqld to get errors rather than denials.(https://forums.mysql.com/read.php?26,393495,393636#msg-393636)

  • Malformatted file contents. SSL library is very bad at complaining accurately. Ensure the full key set works on, say, a web site.

  • The file is missing entirely. Again, in the error message there is no distinction made.

Improve this answer
1
  • 1
    By mysql user, you may include any user that connects to the database. For example, using Proftpd with mod_sql, the proftpd user couldn't read the client-key.pem, hence was sending a 2026 SSL connection error: Unable to get private key. Allowing the proftpd user to read the file fixed it. Thanks for your answer which helped me find this out! Commented Nov 25, 2020 at 11:20
1

I got the same error.

But instead of converting the private key from PKCS#8 to #1, it was enough to change the owner of the ssl folder and its content (even though the rest of /etc/mysql/ was owned by a different user):

chown mysql:mysql /etc/mysql/ssl/ -R

Found that solution on Server Fault

Improve this answer
1
  • I generated/copied my keys as root, and this was the answer Commented Oct 7, 2024 at 16:39
0

Alternative answer not given by those above: There is a problem with the certificate itself, or the certificate chain, and not the private key. In our case, the certificate file contained the intermediate certificates in the authentication chain. The presence of these additional certificates caused MySQL to report the "Unable to get private key" error. This was found to be the case in MariaDB 5.5.64.

Improve this answer
0

I received this error on MariaDB 10.3 when using an EC key. Switching to RSA solved the issue. (And 10.6 worked with EC also.)

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.