Updating SSL certificates on "percona:8.0" docker container

Hello,

I use LetsEncrypt certificates for all my services, and mount those certificates against the Percona MySQL docker container:

docker-compose.yml:

volumes:
  - /path/to/certs/:/etc/my.cnf.d/certs/:ro

my.cnf:

[mysqld]
ssl_cert                        = "/etc/my.cnf.d/certs/fullchain.pem"
ssl_key                         = "/etc/my.cnf.d/certs/privkey.pem"

If I update those certificates in the Host, do I need to do anything on the container, such as either restarting or run “FLUSH SSL;”, or will the container handle the certificates being updated?

Also, I noticed that even though I have my own certificates, Percona has gone ahead and generated some Server and Client certificates inside the local /var/lib/mysql/ folder. I wonder if it’s really using my own certificates, although the paths seem to be the ones I provided, when I look at the live variables on the server. So I’m not sure what the certificates created inside /var/lib/mysql/ are used for.

Many thanks!

Try this
https://dev.mysql.com/doc/refman/8.0/en/alter-instance.html#alter-instance-reload-tls

MySQL automatically generates self-signed certs on first start. That’s why you see certs inside /var/lib/mysql

If the running variables show the path of your certs, then it’s using yours.

Thank you very much, @matthewb

And am I right to say that as of 8.0.16, the new certificates will automatically be used on new connections, so I don’t need to restart the Docker container when I update my own certificates in the mounted volume?

Very kind regards!

As far as I can tell, no, you don’t need to restart the container.