Mysql gitea (mariadb) SSL is not supported

When setting up the mysql database like this it works fine :

SET old_passwords=0;

CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'PASSWORD......';

CREATE DATABASE giteadb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';

GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' with grant option;



but if I require ssl like this :

CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'PASSWORD......' require ssl;

I get the following error : Error 1045 (28000): Access denied for user 'gitea'@'localhost'.

I can sign to the user with mysql -u gitea -p --ssl just fine with the password I used. Also I tried different hostnames such as localhost:3306 and

Can you share your [database] config from app.ini? Also is your database hosted on separate server from Gitea?

# The MariaDB configuration file
# The MariaDB/MySQL tools read configuration files in the following order:
# 0. "/etc/mysql/my.cnf" symlinks to this file, reason why all the rest is read.
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
# If the same option is defined multiple times, the last one will apply.
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
# If you are new to MariaDB, check out

# This group is read both by the client and the server
# use it for options that affect everything
# Port or socket location where to connect
# port = 3306
socket = /run/mysqld/mysqld.sock

# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

ssl-cert = /etc/mysql/certs/server-cert.pem
ssl-key = /etc/mysql/certs/server-key.pem
tls-version = TLSv1.2,TLSv1.3

Note that /etc/mysql/certs/ contains server-cert.pem and server-key.pem which I generated following these steps :

  1. Generate the SSL certificates using OpenSSL. This involves creating a private key and a certificate signing request (CSR). Here’s an example command to generate a private key and CSR: openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem. This command generates a 2048-bit RSA private key and a CSR. You’ll be prompted to provide some information, such as the common name (CN) for the server.
  2. Generate a self-signed server certificate using server-key.pem and server-csr.pem: openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem
  3. Store certificates in a certs folder : `sudo mkdir -p /etc/mysql/certs && mv server-key.pem server-cert.pem /etc/mysql/certs
  4. Update permissions : sudo chown -R mysql:mysql /etc/mysql/certs/ && sudo chmod 0600 /etc/mysql/certs/*

Did you configure Gitea to use SSL when connecting to MySQL server? You will need to set SSL_MODE under [database] because it is disabled by default. See Config Cheat Sheet.

1 Like