OpenSSL generating SSL keys = ca md too weak

Question

Trying to generate ssl certificates for mariadb in an openssl3 environment

this post does not seem to give me any solution either

getting errors :

SSL error: Unable to get certificate from '/etc/certs/server-cert.pem'
2022-09-11 19:14:11 0 [Warning] Failed to setup SSL
2022-09-11 19:14:11 0 [Warning] SSL error: Unable to get certificate
2022-09-11 19:14:11 0 [Warning] SSL error: error:0A00018E:SSL routines::ca md too weak

/etc/certs/server-cert.pem is definitely here; in the same folder as the others that are found and populated so I am guessing my problem is with md too weak

I get no error when I generate my files; here the list of generated files from script below

I searched a lot but found no clear solution. Everyone saying that you either lower the security level in openssl or use a better algorithm but I find no example on the net. I also added -sha256 but without any success

here is my script:

#bin/sh

# SERVER
# create a new CA key
openssl genrsa 4096 > ca-key.pem
# create the certificate
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -sha256 -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=server"
# create the certificate for the server
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -sha256 -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=serverreq"
# process the new certificate
openssl rsa -in server-key.pem -out server-key.pem
# sign the certificate
openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# CLIENT
# create client certificate
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=client"
# process key
openssl rsa -in client-key.pem -out client-key.pem
# sign certificate
openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -sha256 -set_serial 01 -out client-cert.pem

and my docker compose

database:
    container_name: mariadb
    image: "mariadb:${MARIADB_VERSION}"
    restart: always
    env_file: .env
    volumes:
      - "${SQL_INIT}:/docker-entrypoint-initdb.d"
      - type: bind
        source: ${MARIADB_DATA_DIR}
        target: /var/lib/mysql
      - type: bind
        source: ${MARIADB_LOG_DIR}
        target: /var/logs/mysql
      - type: bind
        source: ${MARIADB_CERTS_DIR}
        target: /etc/certs/
    environment:
      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
      MYSQL_DATABASE: "${MYSQL_DATABASE}"
      MYSQL_USER: "${MYSQL_USER}"
      MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
    ports:
      - "3306:3306"
    networks:
      - app_network
    command: [  
                "--character-set-server=utf8mb4",
                "--collation-server=utf8mb4_unicode_ci",
                "--bind-address=database",
                "--require_secure_transport=ON",
                "--ssl-ca=/etc/certs/ca-cert.pem",
                "--ssl-cert=/etc/certs/server-cert.pem",
                "--ssl-capath=/etc/certs/",
                "--ssl-key=/etc/certs/server-key.pem",
                "--default_authentication_plugin=mysql_native_password" 
              ]

Answer 1

TL;DR

The script you have will generate good certificates if you use openssl 3.

Motivation: I have a similar script, and after moving from PC to mac, I was caught out for a while with the issue you describe.

details that were specific to my case but may help others:

If you have used brew to install openssl@3, and are still having issues, you can see what your using with openssl version, and where that is with which openssl if it's not openssl@3, then change your code to point to the correct binary, probably located at /usr/local/opt/openssl/bin/openssl

I know it's a bit late, but hope it helps someone.

Answer 2

I also got this problem. Bascially this error starts to appear you use OpenVPN v.2.3.0 or above.

I just reverted to using the OpenVPN v.2.5.9 client and it worked for me.

Answer 3

Please read the error message carefully: MD5 (but also SHA1) are considered insecure and refused by recent TLS libraries since several years.

You should regenerate your CA and certificates with secure ciphers, as your current ciphers are considered to be not secure anymore.

From Wikipedia: "On 31 December 2008, the CMU Software Engineering Institute concluded that MD5 was essentially "cryptographically broken and unsuitable for further use".

That was 14 years ago....