MySQL with hostname SSL

Daniel-Doggy

Daniel-Doggy

Verified User
Joined
Nov 16, 2019
Messages
452
Hello everyone,

I am trying to configure the MYSQL server to use the hostname's SSL Certificate (Let's Encrypt) instead of the self signed certificate it generated itself.
The issue is that the MYSQL user/group does not have access to the /usr/local/directadmin/conf/ folder and the cert files.
And thus cannot load them in on start.

My idea is, as a workaround:
Create a custom script on ssl_save_post.sh
Copy the files with the script to a folder where the mysql user/group does have access to it.

But the docs leave me with more questions then anwsers. (https://docs.directadmin.com/developer/hooks/ssl_letsencrypt.html)

My questions:
1. How to check that the domain matches the hostname.
2. My Lets's Encrypt Certificate was create with /usr/local/directadmin/scripts/letsencrypt.sh request_single hostname 4096 but will this still allow it to trigger the ssl_save_post.sh?
3. Is this script called after all the certificates files are saved/updated? (So that I can just add a cp in my script.)
4. Any better ways to do this?

Thanks in advance,
realcryptonight
 
Found a good workaround:
#!/bin/sh

le_cert_sum=`md5sum /usr/local/directadmin/conf/cacert.pem | awk '{ print $1 }'`
le_ca_sum=`md5sum /usr/local/directadmin/conf/carootcert.pem | awk '{ print $1 }'`
le_key_sum=`md5sum /usr/local/directadmin/conf/cakey.pem | awk '{ print $1 }'`

mysql_cert_sum=`md5sum /var/lib/mysql/server-cert.pem | awk '{ print $1 }'`
mysql_ca_sum=`md5sum /var/lib/mysql/ca.pem | awk '{ print $1 }'`
mysql_key_sum=`md5sum /var/lib/mysql/server-key.pem | awk '{ print $1 }'`

is_updated=0

if [ "$le_cert_sum" != "$mysql_cert_sum" ];
then
echo "LE cert does not match MySQL cert"
cp /usr/local/directadmin/conf/cacert.pem /var/lib/mysql/server-cert.pem
is_updated=1
fi

if [ "$le_ca_sum" != "$mysql_ca_sum" ];
then
echo "LE CA cert does not match MySQL CA cert"
cp /usr/local/directadmin/conf/carootcert.pem /var/lib/mysql/ca.pem
is_updated=1
fi

if [ "$le_key_sum" != "$mysql_key_sum" ];
then
echo "LE key does not match MySQL key"
cp /usr/local/directadmin/conf/cakey.pem /var/lib/mysql/server-key.pem
is_updated=1
fi

if [ "$is_updated" == 1 ];
then
systemctl restart mysqld.service
fi
Click to expand...

I just need to run this like once a week and then it will be all good. :)
 
You must log in or register to reply here.
Back
Top