search

docker-library / mysql

Docker Official Image packaging for MySQL Community Server
https://dev.mysql.com/
GNU General Public License v2.0
2.47k stars 2.2k forks source link

Question: updating SSL certificates on the MySQL docker container #998

Closed ghnp5 closed 1 year ago

ghnp5 commented 1 year ago

Hello,

I use LetsEncrypt certificates for all my services, and mount those certificates against the MySQL docker container:

docker-compose.yml:

volumes:
    - /path/to/certs/:/etc/my.cnf.d/certs/:ro

my.cnf:

[mysqld]
ssl_cert                        = "/etc/my.cnf.d/certs/fullchain.pem"
ssl_key                         = "/etc/my.cnf.d/certs/privkey.pem"

If I update those certificates in the Host, do I need to do anything on the container, such as either restarting or run "FLUSH SSL;", or will the container handle the certificates being updated?

Also, I noticed that even though I have my own certificates, MySQL has gone ahead and generated some Server and Client certificates inside the local /var/lib/mysql/ folder. I wonder if it's really using my own certificates, although the paths seem to be the ones I provided, when I look at the live variables on the server. So I'm not sure what the certificates created inside /var/lib/mysql/ are used for.

Many thanks!

ghnp5 commented 1 year ago

The answer may be here: https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html#using-encrypted-connections-server-side-runtime-configuration

My understanding is that as of 8.0.16, the new certificates will automatically be used on new connections.

As of 8.0.21, there is a new command "ALTER INSTANCE RELOAD TLS", but it only needs to be run if I'm changing other TLS configurations, and this doesn't need to be run when updating certificates.