WSREP: Bad value for 'socket.ssl_key'

Question

I am attempting to initialize a new MariaDB Galera cluster with SSL-encrypted replication.

I have followed this guide to the letter, specified different details for CA, Server, and Client certificates (I read there can be issues when they are exactly the same), and placed my certificate files in /etc/mysql/ssl/.

root@server:/etc/mysql/ssl# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
root@server:/etc/mysql/ssl#

These are my SSL-related settings:

[mysqld]
ssl-ca = /etc/mysql/ssl/ca-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
wsrep_provider_options="socket.ssl_key=/etc/mysql/ssl/server-key.pem;socket.ssl_cert=/etc/mysql/ssl/server-cert.pem;socket.ssl_ca=/etc/mysql/ssl/ca-cert.pem;socket.checksum=2;socket.ssl_cipher=AES128-SHA"

[mysql]
ssl-ca = /etc/mysql/ssl/ca-cert.pem
ssl-key = /etc/mysql/ssl/client-key.pem
ssl-cert = /etc/mysql/ssl/client-cert.pem

When I try to start my first node with service mysql start --wsrep-new-cluster, I get the following errors:

2016-02-02 14:01:25 140601166120896 [ERROR] WSREP: Bad value '/etc/mysql/ssl/server-key.pem' for SSL parameter 'socket.ssl_key': : 22 (Invalid argument)
     at galerautils/src/gu_asio.cpp:ssl_prepare_context():148
2016-02-02 14:01:25 140601166120896 [ERROR] WSREP: wsrep::init() failed: 7, must shutdown
2016-02-02 14:01:25 140601166120896 [ERROR] Aborting

I found the code throwing that error, but it didn't help me find the cause of the issue.

I am using MariaDB 10.1.11 with Galera 25.3.12.

Answer 1

My permissions were off. This fixed it:

root@server:/etc/mysql# chmod 500 /etc/mysql/ssl/
root@server:/etc/mysql# chmod 400 /etc/mysql/ssl/*
root@server:/etc/mysql# chown -R mysql:mysql /etc/mysql/ssl/

Answer 2

Fix permissions doesn't work in my case, i have to active permissive mode for mysqld_t semanage permissive -a mysqld_t

galera.te

allow mysqld_t admin_home_t:file { getattr open read };