Mysql gitea (mariadb) SSL is not supported

Install/Maintain/Configure

Linuk June 19, 2023, 11:22pm 1

When setting up the mysql database like this it works fine :

SET old_passwords=0;

CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'PASSWORD......';

CREATE DATABASE giteadb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';

GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' with grant option;

FLUSH PRIVILEGES;

EXIT;

but if I require ssl like this :

CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'PASSWORD......' require ssl;

I get the following error : Error 1045 (28000): Access denied for user 'gitea'@'localhost'.

I can sign to the user with mysql -u gitea -p --ssl just fine with the password I used. Also I tried different hostnames such as localhost:3306 and 127.0.0.1:3306

jake June 20, 2023, 2:31am 2

Can you share your [database] config from app.ini? Also is your database hosted on separate server from Gitea?

Linuk June 20, 2023, 11:25am 3

# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 0. "/etc/mysql/my.cnf" symlinks to this file, reason why all the rest is read.
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# If you are new to MariaDB, check out https://mariadb.com/kb/en/basic-mariadb-articles/

#
# This group is read both by the client and the server
# use it for options that affect everything
#
[client-server]
# Port or socket location where to connect
# port = 3306
socket = /run/mysqld/mysqld.sock

# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

[mysqld]
ssl-capath=/etc/mysql/certs/
ssl-cert = /etc/mysql/certs/server-cert.pem
ssl-key = /etc/mysql/certs/server-key.pem
tls-version = TLSv1.2,TLSv1.3

Note that /etc/mysql/certs/ contains server-cert.pem and server-key.pem which I generated following these steps :

1. Generate the SSL certificates using OpenSSL. This involves creating a private key and a certificate signing request (CSR). Here’s an example command to generate a private key and CSR: openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem. This command generates a 2048-bit RSA private key and a CSR. You’ll be prompted to provide some information, such as the common name (CN) for the server.
2. Generate a self-signed server certificate using server-key.pem and server-csr.pem: openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem
3. Store certificates in a certs folder : `sudo mkdir -p /etc/mysql/certs && mv server-key.pem server-cert.pem /etc/mysql/certs
4. Update permissions : sudo chown -R mysql:mysql /etc/mysql/certs/ && sudo chmod 0600 /etc/mysql/certs/*

jake June 22, 2023, 2:15pm 4

Did you configure Gitea to use SSL when connecting to MySQL server? You will need to set SSL_MODE under [database] because it is disabled by default. See Config Cheat Sheet.

1 Like

Related Topics

Topic		Replies	Views	Activity
Mysql with TLS/SSL Install/Maintain/Configure	1	941	June 19, 2023
[Solved] How to setup IPv6 Mysql Host from web install? Install/Maintain/Configure	3	1287	June 12, 2018
Database settings are invalid? Install/Maintain/Configure	4	3223	January 29, 2022
Unable to push to remote Install/Maintain/Configure	3	8571	May 17, 2018
Cant' connect with ssh user Install/Maintain/Configure	1	2786	April 3, 2018