SSL connection error : certificate verify failed, [Galera] Handshake failed

Clearly, I have one of these SSL config lines wrong, but I can’t figure out which one.
various troubleshooting results pasted below (CAUTION:LONG)

ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/client-cert.pem
ssl-key=/etc/mysql/certs/client-key.pem

or:

encrypt=4
ssl-ca=ca.pem
ssl-key=server-key.pem
ssl-cert=server-cert.pem

1 Like

Provide the full paths. Make sure ‘mysql’ user can read all files. Make sure others cannot read the key.

1 Like

[root@SQL1 certs]# pwd
/etc/mysql/certs
[root@SQL1 certs]# ll …
drwxr-xr-x. 3 root root 19 Jul 19 22:42 .
drwxr-xr-x. 113 root root 8192 Jul 21 22:38 …
drwxr-xr-x. 5 mysql mysql 229 Jul 21 20:36 certs

[root@SQL1 certs]# ll
drwxr-xr-x. 5 mysql mysql 229 Jul 21 20:36 .
drwxr-xr-x. 3 root root 19 Jul 19 22:42 …
-rw-------. 1 mysql mysql 1679 Jul 21 20:36 server-key.pem
-rw-r–r–. 1 mysql mysql 1151 Jul 21 20:36 server-cert.pem
-rw-r–r–. 1 mysql mysql 980 Jul 21 20:36 client-req.pem
-rw-------. 1 mysql mysql 1675 Jul 21 20:36 client-key.pem
-rw-r–r–. 1 mysql mysql 1151 Jul 21 20:36 client-cert.pem
-rw-r–r–. 1 mysql mysql 1306 Jul 21 20:36 ca.pem
-rw-r–r–. 1 mysql mysql 1679 Jul 21 20:36 ca-key.pem
-rw-r–r–. 1 mysql mysql 980 Jul 21 20:36 server-req.pem
[root@SQL1 certs]#

1 Like

I copied these keys to /var/lib/mysql:

[root@SQL1 certs]# for x in $(ls *.pem) ; do locate $x ; done

/etc/mysql/certs/ca-key.pem
/var/lib/mysql/ca-key.pem

/etc/mysql/certs/ca.pem
/var/lib/mysql/ca.pem

/etc/mysql/certs/client-cert.pem
/var/lib/mysql/client-cert.pem

/etc/mysql/certs/client-key.pem
/var/lib/mysql/client-key.pem

/etc/mysql/certs/client-req.pem

/etc/mysql/certs/private_key.pem
//var/lib/mysql/private_key.pem

/etc/mysql/certs/public_key.pem
/var/lib/mysql/public_key.pem

/etc/mysql/certs/server-cert.pem
/var/lib/mysql/server-cert.pem

/etc/mysql/certs/server-key.pem
/var/lib/mysql/server-key.pem

/etc/mysql/certs/server-req.pem

[root@SQL1 certs]#

1 Like

Or should they be links? ln -s?

1 Like

You don’t need the certs in 2 places. Pick one location or the other. After you do that, what does MySQL say when you start the node?

1 Like

Sorry I didn’t get back to you. They work now. Thanks!