Package: mariadb-server
Version: 1:11.8.6-4
Severity: normal
Tags: patch
Dear Maintainer,
By default, Apparmor configuration of mariadb blocks access to SSL keys such as
Let's encrypt one.
audit: type=1400 audit(1774503700.183:177): apparmor="DENIED" operation="open"
class="file" profile="mariadbd"
name="/etc/letsencrypt/archive/xxxxx/privkey6.pem" pid=246482 comm="mariadbd"
requested_mask="r" denied_mask="r" fsuid=104 ouid=0
And the mariadb systemd fails:
SSL error: Unable to get private key from
'/etc/letsencrypt/live/z-elec.pro/privkey.pem'
2026-03-26 7:10:37 0 [ERROR] Failed to setup SSL
2026-03-26 7:10:37 0 [ERROR] SSL error: Unable to get private key
2026-03-26 7:10:37 0 [ERROR] Aborting
260326 7:10:37 server_audit: STOPPED
A patch like this on /etc/apparmor.d/local/mariadbd solves the issue:
/etc/letsencrypt/live/xxxx/privkey.pem r,
/etc/letsencrypt/archive/xxx/** r,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.6+deb14+1-cloud-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mariadb-server depends on:
ii debconf [debconf-2.0] 1.5.92
ii galera-4 26.4.25-2
ii gawk 1:5.3.2-1
ii iproute2 6.19.0-1
ii libc6 2.42-13
ii libdbi-perl 1.647-1+b1
ii libgcc-s1 16-20260308-1
ii libpam0g 1.7.0-5+b1
ii libssl3t64 3.6.1-3
ii libstdc++6 16-20260308-1
ii lsof 4.99.4+dfsg-2
ii mariadb-client 1:11.8.6-4
ii mariadb-common 1:11.8.6-4
ii mariadb-server-core 1:11.8.6-4
ii passwd 1:4.18.0-2
ii perl 5.40.1-7
ii procps 2:4.0.4-9+b1
ii psmisc 23.7-2
ii rsync 3.4.1+ds1-7
ii socat 1.8.1.1-1
ii systemd [systemd-sysusers] 260.1-1
ii zlib1g 1:1.3.dfsg+really1.3.1-3
Versions of packages mariadb-server recommends:
ii libhtml-template-perl 2.97-2
ii mariadb-plugin-provider-bzip2 1:11.8.6-4
ii mariadb-plugin-provider-lz4 1:11.8.6-4
ii mariadb-plugin-provider-lzma 1:11.8.6-4
ii mariadb-plugin-provider-lzo 1:11.8.6-4
ii mariadb-plugin-provider-snappy 1:11.8.6-4
ii pv 1.10.4-1
Versions of packages mariadb-server suggests:
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1.1
pn mariadb-test <none>
ii netcat-openbsd 1.234-2
-- Configuration Files:
/etc/mysql/mariadb.conf.d/50-server.cnf changed [not included]
-- debconf information excluded
