CA certificate ca.pem is self signed reported by MySQL

  • System Details:

    Debian GNU/Linux 8.7 (jessie)
    PHP Ver: 5.6.30 (Default)
    MYSQL Ver: 5.7.17
    Vsftpd Ver: 3.0.2

    i-MSCP 1.3.16 | Build: 20170107 | Codename: Horner

    Plugins Installed and Active:

    • AdminerSQL - Ver. 1.0.1
    • ClamAV - Ver. 1.2.0
    • CronJobs - Ver. 1.4.1
    • DebugBar - Ver. 1.1.2
    • DomainAutoApproval - Ver. 1.1.2
    • InstantSSH - Ver. 5.0.1
    • LetsEncrypt - Ver. 3.0.0
    • Mailgraph - Ver. 1.1.1
    • Mailman - Ver. 1.0.3
    • Monitorix - Ver. 1.2.2
    • OpenDKIM - Ver. 1.1.3
    • PanelRedirect - Ver. 1.1.5
    • PhpSwitcher - Ver. 3.0.2
    • PolicydSPF - Ver. 1.1.0
    • PolicydWeight - Ver. 1.1.0
    • Postgrey - Ver. 1.1.1
    • Postscreen - Ver. 1.1.0
    • RoundcubePlugins - Ver. 1.2.6
    • ServerDefaultPage - Ver. 1.2.5
    • SpamAssassin - Ver. 1.1.1

    I am investigating a non i-mscp related issue and noticed "CA certificate ca.pem is self signed" in my MySQL error log. Just curious about this as I am using LetsEncrypt. I see no obvious issue pertaining to this, but just wanted to share this as an FYI.

    As always, thank you and keep on truckin' ... :thumbup:

    “Life is all an Elaborate Hoax”

    Edited once, last by texxasrulez ().

  • @texxasrulez

    Do you have enabled SSL on your MySQL server side? The message you're reporting is about using a self-signed cert in MySQL. That is not related to i-MSCP since we don't do anything regarding optional SSL configuration for MySQL server ;)

    See also:…sa-files-using-mysql.html


  • I know it is not i-mscp related and that is why I stated that in my post. Just wanted to do a shoutout with the hope/possibility that mysql maybe could be incorporated within LetsEncrypt plugin in future releases if possible just for the sake of easy setup. I have already addressed the situation and got it proper at this time. I should have been a little more clear about my reason for posting.

    I appreciate the reply. Thank you and have a great day ... :)

    “Life is all an Elaborate Hoax”

  • maybe could be incorporated within LetsEncrypt plugin in future releases if possible just for the sake of easy setup

    Clearly, that is not the purpose of the LetsEncrypt plugin to setup SSL for the SQL server, nor for any other service. However, setting up SSL for MySQL (simplest case) is easy as doing:

    1. Enable LetsEncrypt for the services throught the administrator interface. If needed, you can add specific altname for your SQL server too.
    2. Copy the /etc/imscp/imscp_services.pem file inside the /etc/mysql directory: cp /etc/imscp/imscp_services.pem /etc/mysql
    3. Change ownership for the /etc/mysql/imscp_services.pem file: chown root:mysql /etc/mysql/imscp_services.pem
    4. Create the /etc/mysql/conf.d/ssl.cnf file with the following content:

    1. [mysqld]ssl-ca=/etc/mysql/imscp_services.pemssl-cert=/etc/mysql/imscp_services.pemssl-key=/etc/mysql/imscp_services.pem

    5. Restart the MySQL server: service mysql restart

    At this stage, SSL should be enabled (server side):

    1. root@jessie:/etc/mysql# mysqlWelcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 16Server version: 10.1.22-MariaDB-1~jessie binary distributionCopyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> show variables LIKE "%ssl%";+---------------------+-------------------------------+| Variable_name | Value |+---------------------+-------------------------------+| have_openssl | YES || have_ssl | YES || ssl_ca | /etc/mysql/imscp_services.pem || ssl_capath | || ssl_cert | /etc/mysql/imscp_services.pem || ssl_cipher | || ssl_crl | || ssl_crlpath | || ssl_key | /etc/mysql/imscp_services.pem || version_ssl_library | OpenSSL 1.0.1t 3 May 2016 |+---------------------+-------------------------------+10 rows in set (0.00 sec)MariaDB [(none)]> \qBye

    Now, for the simplest use case, you can do:

    1. # mysql --ssl-ca=/etc/mysql/imscp_services.pem

    and then the connection will use SSL:

    Note that here, this is the simplest case. If you want, we could create a listener file for managing SSL for your SQL server (server SSL certificate and client SSL certificates), all signed by the Let's Encrypt CA but again that not the purpose of the LetsEncrypt plugin.

    BTW: Could you give us more info about your requirements? And also answer to the following questions:

    • Does your MySQL server is hosted locally (on the server where i-MSCP is installed), or does your server is hosted on a remote server?
    • Which type of client need to connect using SSL? PHP? Other?

    Thank you ;)


  • Thanks alot for that wealth of info. I will surely put it to use ... A listener would be awesome, I appreciate the offer.

    Mysql is running on same machine. I build my own computers so I can pack a good punch in one pc for a good price.

    I mainly am trying to add letsencrypt certs to anything I can in the spirit of ISRG's LetEncrypt reason for developing it with the goal of encrypting the entire web as their motives.

    I am currently working on a caldav enabled calendar plugin for Roundcube to work specifically with Nextcloud "out of the box" and I was working through some errors in my tables and noticed the warning for self signed cert, so that is when I decided to add my letsencrypt cert to it as well. Then, trying to think of ease, I decided to post this for ideas of ease for all i-mscp users if they were so interested.

    I do have this plugin on Github, so all can check it out if you use Roundcube and Nextcloud. Trying to add more functionality to it, and get this new version working before I update to github. What is up there now works ...

    I do thank you for your help, time and information you have given me ... 8)

    “Life is all an Elaborate Hoax”

  • FloRet88

    Closed the thread.