PrivacyIDEA 3.1.2 installed from ubuntu server 18.04 package with SSL enabled on MySQL. Using the following connection string in 3.1.2 mysql://pi:OUo0eMY5TYoc@localhost/pi?charset=utf8&ssl_key=/var/lib/mysql/client-key.pem&ssl_cert=/var/lib/mysql/client-cert.pem
After upgrading to PrivacyIDEA 3.2, it appears pi.cfg is touched and the connection string is changed to include pymysql+mysql at the beginning. This causes a 500 error when connecting to the webui
To my knowledge the “MySQLdb” module is a C wrapper module. We do not use it, since it would require development tools to be installed. This is the reason we are using “mysql+pymysql”, which is a pure python implementation.
So you probably need to reinstall the mysql driver in the python virtualenv.
I would recommend to not use the ubuntu packages if you are changing too much.
It seems that the mysql package installs the client key with different permissions. In my set-up it is only readable by the mysql user but not the apache2 user www-data. This leads to the Permission denied error.
But why do You need SSL-encrypted traffic on localhost anyway? Correct me if i am wrong but only root should be able to dump/redirect the traffic and if root is compromised, SSL won’t help You there.
The “mysql” driver is from 2014. This is another reason, we are not using it anymore.
I took the effort to look into the 3rd party code:
Both drivers seem to expect the same ssl argument option.
However, I do not find your initial post anymore (also spent enough time today here), but if the pymysql ssl is working at all, you might want to investigate the access rights further.
Another side note: We do not use SSL with MySQL. Why? When we started with MySQL ssl was only good for protecting the login, but not the data transfer. Also: A lot of installations do not monitor their certificates. Expired certificates make up for great error messages.
This is why we usually do encryption by setting up a VPN between the nodes, which seems more robust to me.