This article describes how to manually enable SSL/TLS for MariaDB on UCS (univention-mariadb).
The univention-mariadb package installs MariaDB but does not currently enable TLS by default. Some Univention App Center applications, such as Relution, require TLS to be enabled for correct setup on UCS. To avoid installation issues, install univention-mariadb first, enable TLS, and only then proceed with installing the desired application.
Note that the following steps outline an interim solution until these processes are fully automated by the App Center. But as of now, these parts of the setup still require manual intervention.
A functional MariaDB TLS configuration on UCS requires two steps. First, you need a server certificate and corresponding private key that are valid for the FQDN of the MariaDB host and signed by the UCS root CA (/etc/univention/ssl/ucsCA/CAcert.pem). The certificate, key, and their directory must be readable by the mysql user; otherwise, the MariaDB service will not start.
Second, MariaDB needs to be configured to use the certificate, private key, and UCS CA certificate. UCR provides a straightforward mechanism to apply these settings.
In the following example, we do not generate a new certificate, although that would also be possible. Instead, we copy an existing system certificate that already satisfies the requirements above and then adjust the permissions on the copies so the mysql user can access them. Use a unique target directory name to prevent UCS automation from overwriting these files. A directory such as mariadb."$(ucr get hostname)"."$(ucr get domainname)" is suitable for this purpose.
Also note that certificates copied manually in this way are not automatically managed by univention-certificate. If the original certificate is renewed, the copies used by MariaDB are not updated automatically. In such cases, you must manually replace the MariaDB copies by repeating the steps described below.
1. Copy certificate and key to the appropriate location and apply the required permissions:
install -D -o mysql -g mysql -m 0600 /etc/univention/ssl/"$(ucr get hostname)"."$(ucr get domainname)"/private.key /etc/univention/ssl/mariadb."$(ucr get hostname)"."$(ucr get domainname)"/private.key; \
install -D -o mysql -g mysql -m 0644 /etc/univention/ssl/"$(ucr get hostname)"."$(ucr get domainname)"/cert.pem /etc/univention/ssl/mariadb."$(ucr get hostname)"."$(ucr get domainname)"/cert.pem; \
chgrp mysql /etc/univention/ssl/mariadb."$(ucr get hostname)"."$(ucr get domainname)"; \
chmod g-r /etc/univention/ssl/mariadb."$(ucr get hostname)"."$(ucr get domainname)";
2. Use UCR to apply the required MariaDB TLS configuration, then restart the mariadb service:
ucr set mysql/config/mariadb/ssl-ca=/etc/univention/ssl/ucsCA/CAcert.pem; \
ucr set mysql/config/mariadb/ssl-cert=/etc/univention/ssl/mariadb."$(ucr get hostname)"."$(ucr get domainname)"/cert.pem; \
ucr set mysql/config/mariadb/ssl-key=/etc/univention/ssl/mariadb."$(ucr get hostname)"."$(ucr get domainname)"/private.key; \
systemctl restart mariadb
Use mariadb to check whether TLS was successfully enabled:
$ mariadb
$ SHOW GLOBAL VARIABLES LIKE 'have_ssl';
the output should look like this:
MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
1 row in set (0.001 sec)
After completing these steps, you can proceed with installing the desired application.