Hello,

(Not reporting as a bug immediately; looking for confirmation and advice before doing so as it feels like this would be more widely reported if others are affected.)

 

Several of our Mariadb servers failed to return after regular patching this morning after Mariadb upgraded from 10.11.11 to 10.11.13. Looks like, after being happy with the SSL keys for over six months, Mariadb suddenly doesn't like them.

 

This looks like something has changed in Mariadb in this version that is stopping it reading our SSL keys, but I cannot see anything in the release notes relating to changes to SSL for .12 or .13  https://mariadb.com/kb/en/mariadb-10-11-13-changelog/

 

Workings:

 

Patching immediately before updated from 10.11.11to 10.11.13. No other updates applied apart from zabbix-agent).

VMs are running Rocky 9.

 

Upgrading:

MariaDB-client                    x86_64  10.11.13-1.el9      mariadb_10.11_r9  9.3 M

MariaDB-common                    x86_64  10.11.13-1.el9      mariadb_10.11_r9   88 k

MariaDB-server                    x86_64  10.11.13-1.el9      mariadb_10.11_r9   18 M

MariaDB-shared                    x86_64  10.11.13-1.el9      mariadb_10.11_r9  131 k

 

Before patching, mariadb was using one-sided SSL with self-signed SSL certs. Everything working as expected, been in place for over six months.

 

After Maria upgraded from 10.11.11 to .13, Mariadb will not start.

 

250526  6:38:03 server_audit: logging started to the syslog.

SSL error: Unable to get private key from '/etc/my.cnf.d/ssl/server-key.pem'

2025-05-26  6:38:03 0 [ERROR] Failed to setup SSL

2025-05-26  6:38:03 0 [ERROR] SSL error: Unable to get private key

2025-05-26  6:38:03 0 [ERROR] Aborting

 

server-key.pem looks okay, starts "-----BEGIN RSA PRIVATE KEY-----" - privs are 700, owned by mysql user, turning off selinux doesn't fix it. File date six months old (it's a year long key with checks to renew at -30d), and openssl likes it;

 

# openssl rsa -in server-key.pem -check

RSA key ok

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

 

 

My temporary fix is removing this from the config and then mariadb will restart. Fortunately are clients don’t require SSL.

 

[mysqld]

#ssl-ca=/etc/my.cnf.d/ssl/ca-cert.pem

#ssl-cert=/etc/my.cnf.d/ssl/server-cert.pem

#ssl-key=/etc/my.cnf.d/ssl/server-key.pem

 

 

 

Thank you