Let's Encrypt SSL Recipes -- MySQL with Lets Encrypt Certificates

It may be the case that you need to encrypt a connection to a MySQL server. You may want to do this if you are connecting to the server remotely, e.g. via a MySQL client across the internet or an ODBC connection. Normally this would not be required because you would be connected to a web server that would have a private network or other secure connection to the database server, but in some cases even that private network connection may not be secure -- hence the need for encryption.

If you need to secure a MySQL connection, you can use Let's Encrypt certificates to do so. MySQL is (like sendmail) fussy about the permissions on the certificates and keys, and so you should copy the Let's Encrypt files from their normal location to MySQL's directory and then set permissions that way.

Assuming that you have created certificates for the site mysite.com, use this recipe:

cp /etc/letsencrypt/live/mysite.com/*.pem /var/lib/mysql
chown mysql.mysql /var/lib/mysql/*.pem
chmod 600 /var/lib/mysql/*.pem

Then you just need to add these lines to the [mysqld] section of your MySQL configuration file (this will be either /etc/my.cnf or /etc/mysql/my.cnf or /etc/my.cnf.d/server.cnf):

ssl_ca=/var/lib/mysql/chain.pem
ssl_cert=/var/lib/mysql/cert.pem
ssl_key=/var/lib/mysql/privkey.pem

Restart your MySQL or MariaDB server :

service mariadb restart

Make a connection to the MySQL server using the --ssl option:

mysql --ssl

Then to check to see that you have installed everything correctly, use the following command:

SHOW STATUS LIKE 'Ssl_cipher';

You should get output that looks like this:

Variable_name	Value
Ssl_cipher	DHE-RSA-AES256-GCM-SHA384