Hello, (Not reporting as a bug immediately; looking for confirmation and advice before doing so as it feels like this would be more widely reported if others are affected.)
Several of our Mariadb servers failed to return after regular patching this morning after Mariadb upgraded from 10.11.11 to 10.11.13. Looks like, after being happy with the SSL keys for over six months, Mariadb suddenly doesn't like them. This looks like something has changed in Mariadb in this version that is stopping it reading our SSL keys, but I cannot see anything in the release notes relating to changes to SSL for .12 or .13 https://mariadb.com/kb/en/mariadb-10-11-13-changelog/ Workings: Patching immediately before updated from 10.11.11to 10.11.13. No other updates applied apart from zabbix-agent). VMs are running Rocky 9. Upgrading: MariaDB-client x86_64 10.11.13-1.el9 mariadb_10.11_r9 9.3 M MariaDB-common x86_64 10.11.13-1.el9 mariadb_10.11_r9 88 k MariaDB-server x86_64 10.11.13-1.el9 mariadb_10.11_r9 18 M MariaDB-shared x86_64 10.11.13-1.el9 mariadb_10.11_r9 131 k Before patching, mariadb was using one-sided SSL with self-signed SSL certs. Everything working as expected, been in place for over six months. After Maria upgraded from 10.11.11 to .13, Mariadb will not start. 250526 6:38:03 server_audit: logging started to the syslog. SSL error: Unable to get private key from '/etc/my.cnf.d/ssl/server-key.pem' 2025-05-26 6:38:03 0 [ERROR] Failed to setup SSL 2025-05-26 6:38:03 0 [ERROR] SSL error: Unable to get private key 2025-05-26 6:38:03 0 [ERROR] Aborting server-key.pem looks okay, starts "-----BEGIN RSA PRIVATE KEY-----" - privs are 700, owned by mysql user, turning off selinux doesn't fix it. File date six months old (it's a year long key with checks to renew at -30d), and openssl likes it; # openssl rsa -in server-key.pem -check RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- My temporary fix is removing this from the config and then mariadb will restart. Fortunately are clients don't require SSL. [mysqld] #ssl-ca=/etc/my.cnf.d/ssl/ca-cert.pem #ssl-cert=/etc/my.cnf.d/ssl/server-cert.pem #ssl-key=/etc/my.cnf.d/ssl/server-key.pem Thank you
_______________________________________________ discuss mailing list -- discuss@lists.mariadb.org To unsubscribe send an email to discuss-le...@lists.mariadb.org
